[00:00.000 --> 00:06.300]  I'm putting it in the GitHub repo there. I've got the lab files, I've got the software you need,
[00:06.300 --> 00:09.260]  and I do want to explain this because I know people are already clicking and cloning and
[00:09.260 --> 00:14.540]  stuff like that. What you're going to need, there's three components to the labs that we're
[00:14.540 --> 00:20.400]  going to do. One, you're going to need some software. I did it this way because with the
[00:20.400 --> 00:26.880]  work from home and COVID-19 stuff, I've done at least 20 workshops in the last couple of months,
[00:26.880 --> 00:31.080]  and I've started realizing that people's home internet isn't always reliable and stuff like
[00:31.080 --> 00:35.540]  that. So the attempt with this, and I've had a couple people say they didn't like it, but I
[00:35.540 --> 00:40.140]  think it saves a lot of us who didn't get a chance to download a 20 gig VM before the workshop,
[00:40.140 --> 00:47.260]  is that rather than doing a virtual machine for you, what you have here is four pieces of software
[00:47.260 --> 00:51.860]  you need that run off of Windows. So obviously you can get a VM if you want and install those,
[00:51.860 --> 00:56.440]  but any Windows 10 machine should work. You need the database browser for SQLite,
[00:56.440 --> 01:01.740]  Notepad++. Obviously you could use Atom or anything else, but that's the one I recommend.
[01:01.740 --> 01:07.600]  You need a hex editor such as HXD hex editor, and then you do need Registry Explorer. The one
[01:07.600 --> 01:14.660]  I'm using in the lab is version 1.5.2 or 20. And then there's three labs we're going to work on.
[01:14.660 --> 01:19.260]  I don't know if we'll get through all of them or not, but I've got the workthroughs and actually
[01:19.260 --> 01:25.400]  the answers. So if we only get through one or two of those labs, you've got everything you need.
[01:25.400 --> 01:32.220]  The third component that's not on the screen here is that what I did is I had a virtual machine with
[01:33.120 --> 01:40.360]  everything throughout the scenario that we're going to talk about. And with that, I then used
[01:40.360 --> 01:46.440]  Cape to extract the key artifacts that we're going to look for throughout the workshop. And so rather
[01:46.440 --> 01:50.780]  than getting a whole virtual machine with a couple of interesting things I wanted you to look at,
[01:50.780 --> 01:56.320]  I just extracted those interesting things. So there's a zip file that's called... let's see if
[01:56.320 --> 02:05.280]  I can find it on my screen here. It is evidence and then it's a dash, desktop dash, and some
[02:05.280 --> 02:10.960]  random numbers dot zip. That will need a password of infected all lowercase. I recommend you not
[02:10.960 --> 02:15.900]  use Windows Explorer to extract it. It generally has issues realizing that it's encrypted or has
[02:15.940 --> 02:21.760]  a password. Don't worry, there is no malware. I just wanted to password protect it and I knew I'd
[02:21.760 --> 02:26.920]  forget what it was called. So all my workshops I just use infected as the password. What you're
[02:26.920 --> 02:32.020]  going to have in there is those key artifacts from a Windows 10 machine where an incident happened
[02:32.020 --> 02:38.180]  and we'll kind of walk through that scenario and what that looked like. Okay, so I'll move on here.
[02:38.820 --> 02:43.580]  My name is Michael Wiley, Director of Cybersecurity Services at Richie Mae Technology Solutions. I'm
[02:43.580 --> 02:49.960]  an avid certification collector. It's just one after another. I love to learn. I've been in
[02:49.960 --> 02:54.300]  the industry for a while and the more I learn, the more I realize I don't know and I need to
[02:55.060 --> 03:01.100]  expand my knowledge. So some people ask why I've got certifications in such different areas. For
[03:01.100 --> 03:07.200]  example, I've got some pen testing certs. Then I also have some architecture and design certifications,
[03:07.200 --> 03:13.040]  your CCNAs, and then I also have a Windows Forensics certification. But I think that all
[03:13.040 --> 03:18.080]  those complement my day-to-day job. And the more I learn about other fields, I realize how that can
[03:18.080 --> 03:23.060]  help me in the tasks I do, even if I'm not a forensic examinator per se. I'm not for law
[03:23.060 --> 03:27.500]  enforcement or anything like that. I've got my LinkedIn and Twitter information on the bottom
[03:27.500 --> 03:31.820]  corner there. Please connect. That's probably the best way to get ahold of me after this.
[03:32.160 --> 03:38.220]  I respond quicker, even quicker than email if you connect with me on LinkedIn. I also post a lot of
[03:38.220 --> 03:44.240]  things I find relevant or interesting about the industry. Prior to my joining Richie Mae
[03:44.240 --> 03:49.100]  Technology Solutions, I owned a boutique cyber security firm in Los Angeles. That's where I
[03:49.100 --> 03:53.500]  really grew a lot of my security skills. Even though I'm a director now, I'm very hands-on,
[03:53.500 --> 03:58.220]  and I think you'll see that a lot of my workshops and slides are quite technical in my opinion.
[03:58.760 --> 04:03.060]  I get bored with paperwork, even though I have to do a lot of policy and procedure work these days.
[04:03.060 --> 04:08.660]  I still like doing pen tests. I'm a recovering red teamer. I still like doing forensic
[04:08.660 --> 04:15.720]  examinations. It's how I wake up in the morning, if you will. That's it about me. Let's get on to
[04:16.200 --> 04:22.140]  a little bit about the company I work for. I did have my firm for a long time, and once I had a
[04:22.140 --> 04:26.980]  kid, I realized I wanted to not work as many hundred-hour weeks, and I wanted to spend a
[04:26.980 --> 04:31.960]  little more time with the family. So my firm merged with Richie Mae to form Richie Mae Technology
[04:31.960 --> 04:37.180]  Solutions. We do a lot of cloud workflow integrations. I work with, specifically since
[04:37.180 --> 04:41.360]  I'm near Hollywood, I work with a lot of the studios and the vendors that make the movies you
[04:41.360 --> 04:46.560]  used to watch at AMC, and now you watch at home or on streaming platforms. So I do a lot of content
[04:46.560 --> 04:51.840]  protection and workflow and stuff like that. I used to be one of 20, now I'm one of 40 worldwide
[04:51.840 --> 04:58.760]  that can do security assessments on behalf of the major studios that make films. So the learning
[04:58.760 --> 05:03.600]  objectives for this workshop, we're going to learn what file artifacts are available in cloud
[05:03.600 --> 05:07.700]  solutions, cloud file storage solutions. We're going to see what kind of cloud file storage
[05:07.700 --> 05:13.240]  user activities can be enumerated. We'll be introduced to application log capabilities,
[05:13.240 --> 05:18.920]  examine the difference between providers, and so on and so forth. Now, one thing I do want to...
[05:18.920 --> 05:23.640]  I want to give recognition where recognition is due. I worked in Instant the first time I started
[05:23.640 --> 05:27.500]  getting into some of these cloud file storage solutions and trying to dig a little bit deeper
[05:27.500 --> 05:36.120]  was I was working a case, I don't know, three years ago-ish. And it was a company where the COO
[05:36.120 --> 05:41.020]  was a relative to the CEO. And that person left the company and there was suspicion that they
[05:41.020 --> 05:47.420]  poached a lot of the clients. And they asked us to do a forensic examination on the hard drive and
[05:47.420 --> 05:52.500]  figure out if information was sent, stolen. There was just a lot of odd behaviors about how that
[05:52.500 --> 05:58.080]  person left the company. And so one of the things I found there was a cloud file storage solution,
[05:58.080 --> 06:03.640]  and we were able to identify what files were uploaded, synced, things like that. And this
[06:03.640 --> 06:07.860]  cloud file storage solution was not sanctioned by the company. So this was a personal account that
[06:07.860 --> 06:13.300]  was installed on the Windows machine and was used to exfiltrate data, essentially. And so I got into
[06:13.300 --> 06:18.100]  it in that forensic examination, and I got curious, did a little more research, and then I ended up
[06:18.100 --> 06:21.740]  taking a SANS course as well. And they had a section on that that filled in a lot of the
[06:21.740 --> 06:26.640]  gaps of my research that was missing. So, you know, there's a lot of people and their research
[06:26.640 --> 06:30.900]  involved. So I do want to put their names on the screen and recognize them, including SANS Institute
[06:31.400 --> 06:35.780]  and a lot of people that had research on sections of these tools, because there's a lot of
[06:35.780 --> 06:42.760]  information throughout here, and they've helped fill in a lot of the gaps for me. So cloud file
[06:42.760 --> 06:46.100]  storage overviews, you know, what exactly we're talking about when I say cloud file storage
[06:46.100 --> 06:52.020]  solutions? Well, we're talking about your boxes, Dropbox, OneDrive, Amazon Drive, Google Drive,
[06:52.020 --> 06:56.600]  ShareFile, iCloud, those kind of things when I talk about a cloud file storage solution.
[06:56.820 --> 07:00.680]  Now, the reason they're becoming so popular is that there's this perceived benefit that you get
[07:00.680 --> 07:05.380]  when you switch to one of these, reuse one of these over, let's say, a file sharing, an on-premise
[07:05.380 --> 07:11.280]  file share. You get protections against disasters, and these are perceived because obviously everyone's
[07:11.280 --> 07:16.920]  had their outage, but these providers can do a lot better job than system administrators, in my
[07:16.920 --> 07:22.420]  opinion, from every organization to keep their data available. So when there's a pandemic, and everyone's
[07:22.420 --> 07:26.700]  got to work from home, you know, overnight, essentially, you still have access to those files.
[07:27.120 --> 07:32.260]  Disperse teams, they can have access to these files, rather than having a VPN in. You've got
[07:32.260 --> 07:36.180]  decrease in maintenance, so system admins don't have to update the underlying operating system,
[07:36.180 --> 07:41.260]  they don't have to patch Adobe, they don't have to do all that maintenance on the file share.
[07:41.280 --> 07:47.120]  If anyone's ever worked with DFS, I mean, that's why cloud file storage solutions are
[07:47.120 --> 07:51.900]  becoming more popular, in my opinion. They've got that high availability, they're scalable. So rather
[07:51.900 --> 07:58.340]  than adding hard drives to RAID, or adding more servers to a cluster, you just literally say,
[07:58.340 --> 08:02.720]  Google, here's an extra 10 bucks a month, now give me an extra terabyte. So it's very easy to
[08:03.280 --> 08:08.820]  scale that. You've got ease of management. So you've just got GUIs and web interfaces, you can
[08:08.820 --> 08:15.000]  provision new users through web portals, as well as single sign on, etc. It's very easy for user
[08:15.640 --> 08:19.780]  management. And then we may see two different solutions that I'll kind of talk about a little
[08:19.780 --> 08:25.020]  bit later. And one is that you may have a business authorized or business sanctioned cloud file
[08:25.020 --> 08:30.100]  storing solution. So maybe it's an enterprise Office 365 account, and they give you OneDrive,
[08:30.100 --> 08:35.260]  or you have a business version of Dropbox. But then we also run into scenarios where I often
[08:35.260 --> 08:40.920]  see these different providers out there on Windows machines, or even Mac machines, where they
[08:40.920 --> 08:44.240]  were not sanctioned by the company. And maybe someone thought they were doing the company a
[08:44.240 --> 08:48.920]  favor because they had to move files from one machine to another. I vividly remember coming
[08:48.920 --> 08:56.180]  in trying to help architect a more secure solution for a plastic surgery firm in Beverly Hills.
[08:56.180 --> 09:01.260]  And the company ended up, they only had a couple people, but they were doing plastic surgery on
[09:01.260 --> 09:07.180]  famous people. And they wanted to have isolated air gap networks. And I thought, great. And they
[09:07.180 --> 09:10.220]  said, so this is kind of what we did. We want a better solution because we've got one computer
[09:10.220 --> 09:14.840]  here for internet access. And then we have another computer over here and that has medical files.
[09:14.840 --> 09:18.560]  And everyone's got two computers and they're swiveling back and forth. We call it swivel net.
[09:18.920 --> 09:22.240]  So you do one job or another, so there's got to be a better way. And I was like, well,
[09:22.240 --> 09:27.240]  this actually sounds fairly secure, but let me look into it. And as I dug into it, I realized,
[09:27.240 --> 09:31.700]  yes, they were two different computers, but they had personal Dropbox accounts on both computers
[09:31.700 --> 09:35.840]  and they were syncing the files back and forth because they needed to, obviously they downloaded
[09:35.840 --> 09:40.380]  stuff from, let's say an EMR and they needed to move it into the, I don't want to say production
[09:40.380 --> 09:45.540]  network, but the medical network. And there was that bridge that was gap there. And so that was
[09:45.540 --> 09:50.260]  not a commercial version. That was a Gmail or Yahoo or an AOL account that the employees set up
[09:50.260 --> 09:55.400]  because they thought they were making their job more efficient, but there was no control over that.
[09:55.400 --> 10:00.100]  So this came from Spiceworks. I apologize. I don't have the source there. I'll try and post
[10:00.100 --> 10:05.800]  that later on. But it's a Spiceworks study. You can Google it. Cloud file storage solutions,
[10:05.800 --> 10:09.640]  Spiceworks, market research, and you'll find this. But I tried to extrapolate some of the
[10:09.640 --> 10:14.520]  interesting things that I saw here, obviously from a couple of perspectives. One, so you know
[10:14.520 --> 10:18.000]  what's more prevalent, but two, depending on which side of the fence you are on, if you're
[10:18.000 --> 10:22.800]  offensive security, you can see what you're most likely to see, right? And obviously Microsoft
[10:22.800 --> 10:28.180]  OneDrive, they've baked that into Windows 10 and they make it very easy for you to use OneDrive.
[10:28.240 --> 10:34.440]  And so we're seeing that organizations more and more are using OneDrive solutions, right? Followed
[10:34.440 --> 10:38.160]  by Google Drive. I believe that's because of G Suite and that's kind of bundled in there. And
[10:38.160 --> 10:43.080]  then Dropbox is the largest independent source that you may see out there in the enterprise.
[10:43.280 --> 10:47.780]  And then followed by Box has a very small market share, except for large enterprises.
[10:47.840 --> 10:51.600]  We see a lot of that within different studios and post-production houses.
[10:51.600 --> 10:55.260]  They've done some work with the MPA and I think that's why we see that.
[10:55.660 --> 11:01.060]  And then Citrix ShareFile, not very popular, but I see a lot in the financial sector. So Richie
[11:01.060 --> 11:05.080]  May really focuses on two verticals. We're in the media entertainment space and we're in the
[11:05.080 --> 11:10.260]  financial space. We've got clients in all different industries, but those are really our niches.
[11:10.320 --> 11:14.900]  And so I see a lot of Citrix ShareFile. I thought it was going to be more than whatever it says
[11:14.900 --> 11:20.340]  there, about five to 10%. But since I see it so much, I have the research and I included it in
[11:20.340 --> 11:24.780]  this workshop. So here's the two different scenarios you might run across. You may see that
[11:24.780 --> 11:29.240]  on the left side there of my screen, I've got that corporate environment. Maybe they've got
[11:29.860 --> 11:35.640]  CASB solution involved. There's a firewall. It's a sanctioned cloud file storage solution there.
[11:35.640 --> 11:39.740]  On the right hand side there, we've got some that they may even still have that sanctioned cloud
[11:39.740 --> 11:45.200]  file storage solution like OneDrive, but then the end user may use their personal G drive or
[11:46.080 --> 11:51.380]  Dropbox account because they wanted to get the certain data on and off of that computer system.
[11:51.380 --> 11:56.980]  And USB drives are just not as popular these days. So you may see that that bypasses CASB
[11:56.980 --> 12:02.520]  solutions. A lot of the CASB solutions I've looked at are limited as far as they're not in line. And
[12:02.520 --> 12:08.220]  so there's certain instances where you may install or use these cloud file storage solutions, whether
[12:08.220 --> 12:12.600]  it's you install the agent or you go through the web browser and that expensive CASB solution that
[12:12.600 --> 12:18.880]  you've got as your one of your layers of security may not even see that data leave or come in and
[12:18.880 --> 12:24.060]  out of the network. Okay, so what kind of gems are we talking about here that we might be able to see?
[12:24.200 --> 12:28.760]  If we're again, I'm trying to phrase this as two different sides. You've got this workshop I think
[12:28.760 --> 12:33.200]  can go well for incident responders and forensic people. They can see what artifacts are left
[12:33.200 --> 12:38.280]  behind. But I also think that as offensive security, there's also something you can gain
[12:38.280 --> 12:44.200]  here and seeing that looking at this post exploitation, seeing what kind of data
[12:44.200 --> 12:50.140]  might be stored and what things you can extrapolate from these agents or artifacts left behind, you
[12:50.140 --> 12:54.060]  may be able to get a lot of interesting things during a pen test or red team engagement.
[12:54.360 --> 12:58.660]  So many organizations are now using these tools as a file server replacement. So you might find
[12:58.660 --> 13:05.420]  customer data, financials, employee data, whatever you'd see on a file share, you may see
[13:05.420 --> 13:11.440]  there. I mean, all kinds of confidential stuff. The apps, if they install the application,
[13:11.440 --> 13:16.500]  whether it's business sanctioned, or a personal install of the desired application, you might see
[13:16.500 --> 13:22.260]  cached files. So whether that file exists still in the file system, maybe they downloaded something
[13:22.260 --> 13:27.340]  and deleted it, that cached copy because it was opened up may still be there may be remnants there
[13:27.340 --> 13:32.420]  that you can now pull out. So someone downloaded customer data, they realized they shouldn't have
[13:32.420 --> 13:36.160]  it, they go ahead and delete it, that cache copy still there. And if you're on a pen test, you can
[13:36.160 --> 13:41.680]  just go grab that cache copy and recreate all the data. You might see local files, even for cloud
[13:41.680 --> 13:45.820]  files, most of the cloud file storage solutions we're going to look at, even though you don't see
[13:45.820 --> 13:52.540]  the you're not going to touch the cloud files, you know, maybe they've disconnected or they
[13:52.540 --> 13:57.920]  are not syncing anymore, we still can look at the databases and we can see all the files they
[13:57.920 --> 14:02.400]  have access to in the cloud, even if it's not on the local file system. So we might not be
[14:02.400 --> 14:07.120]  able to get those files, but now we know they're sitting there. We can get usage of different files,
[14:07.120 --> 14:11.020]  we can say, wow, they're really, you know, there's a lot of work going into this one file, this
[14:11.020 --> 14:15.340]  customer file, this might be something I want to look at. You may also get to be able to see traces
[14:15.340 --> 14:20.100]  of deleted files. So even if they do delete it and maybe we'll see it in the cache, maybe we won't,
[14:20.100 --> 14:25.120]  but even if they didn't open it up on the local file system, we may be able to get remnants of
[14:25.120 --> 14:31.260]  that file. So I would kind of went over this already, it's either going to be company issued
[14:31.260 --> 14:37.820]  or you might have a free account. Depending on which side you're on, again, defense or offense,
[14:37.820 --> 14:41.700]  if you're on the defense and you're trying to find some of this stuff from incident response
[14:41.700 --> 14:45.620]  perspective or forensics, you might look at this and say, well, if it's a free account,
[14:45.620 --> 14:49.820]  we don't get access to the logs. But if it's a business account, we might actually get access to
[14:50.580 --> 14:54.780]  some more advanced logging. But again, it's depending on where you sit, your background
[14:54.780 --> 14:59.860]  and how you're going to use this. With the business or enterprise accounts, you know,
[14:59.860 --> 15:04.880]  for Google, you've got G Suite. For Microsoft, you have Office 365. For Box, it's called Box
[15:04.880 --> 15:10.660]  for Business or Box Enterprise. And then Dropbox, they call it Dropbox Pro. On the free side,
[15:10.660 --> 15:16.660]  you can actually get some decent size storage there. For Google Drive, you can get free 15 gigs.
[15:16.660 --> 15:21.280]  Can you imagine the amount of stuff that people can exfiltrate from your environment with 15 gigs?
[15:21.280 --> 15:27.360]  With OneDrive Basic, you only get five gigs. Dropbox is the smallest, two gigs. And then
[15:28.300 --> 15:32.200]  Box Starter, it's 100 gigs. The reason I don't have Citrix share file on here is that
[15:32.800 --> 15:36.760]  it's only trial. There is no free version. It's an enterprise grade tool.
[15:37.620 --> 15:43.540]  It's behind a paywall or trial wall that you have to go and get that. So you can use it obviously
[15:43.540 --> 15:48.180]  for a while, but it's not something I'm generally going to see as an unauthorized or free version,
[15:48.180 --> 15:54.700]  just because it's on the enterprise side. Okay, so let's now dive into Microsoft OneDrive.
[15:56.300 --> 16:03.080]  So a little bit about it. It's baked into Windows 8 and plus. Windows 10, it's built into it. It's
[16:03.080 --> 16:09.040]  almost like a virus, right? It's there. However, it's sitting there, but a lot of the artifacts
[16:09.040 --> 16:13.620]  and directories, registry keys are not there until you actually authenticate. So once you
[16:14.120 --> 16:18.880]  authenticate, it then becomes enabled and directories such as the AppData, local Microsoft
[16:18.880 --> 16:24.200]  OneDrive directory is then created. So obviously, if that folder is not there, you can assume that
[16:24.200 --> 16:30.740]  they have not been using OneDrive on that system. There's a lot of differences between the personal
[16:30.740 --> 16:37.680]  and the paid version of OneDrive. So for example, the personal OneDrive log files, you're going to
[16:37.680 --> 16:42.620]  see them within AppData, local Microsoft OneDrive logs. And then if it's a personal account, you'll
[16:42.620 --> 16:50.600]  see personal directory. If it is a business Office 365 account, you're going to see business one
[16:50.600 --> 16:54.680]  is the first account that's synced. And if you sync more accounts, you'll see business two,
[16:54.680 --> 17:02.280]  business three, business four, and so on. Now, from my research, there's no logging on the
[17:02.280 --> 17:07.660]  web side of it for personal accounts. However, with business, you have Office 365 unified audit
[17:07.660 --> 17:12.400]  logs that provide a lot more information. And by default, those are set at 90 days.
[17:12.440 --> 17:17.740]  From an incident that my team is working on currently with a massive breach, I can tell you
[17:17.740 --> 17:23.060]  that 90 days is probably not long enough. So there is some stuff there, but it does get rolled over
[17:23.060 --> 17:30.400]  pretty quickly. Okay. And if you look at the logging capabilities, obviously on the right-hand
[17:30.400 --> 17:34.960]  side, you've got the business version there with the unified audit logs. But the personal version,
[17:34.960 --> 17:40.180]  you're probably, if you want to start looking at behavior or what's happened on that endpoint,
[17:40.180 --> 17:45.540]  you're going to have to look at more of the logs that are stored locally on the file system.
[17:46.340 --> 17:53.100]  Okay, so this grid here is really meant just to show the different locations and what those
[17:53.100 --> 18:00.220]  locations are, whether it's a file or a directory. For example, OneDrive, if you see a OneDrive
[18:00.220 --> 18:04.540]  directory, it's a personal, that's where all their personal files are stored. If you see OneDrive dash
[18:04.540 --> 18:09.000]  the company name, that's going to tell you two things. One, the company name, and they're using
[18:09.000 --> 18:13.860]  Office 365. So you know immediately there's more logging capability, probably up to 90 days
[18:13.860 --> 18:19.920]  somewhere on the cloud. Then there's other things like the root, or we've already talked about the
[18:19.920 --> 18:24.660]  root log directories and how it's either personal or business one. There's an interesting file
[18:24.660 --> 18:30.020]  called SyncDiagnostics.log, and that provides you with metadata for both local and cloud files. So
[18:30.020 --> 18:34.640]  even if they've decided not to sync, or they have yet to sync a file from the cloud, you get access
[18:34.640 --> 18:38.800]  to the name of that file in the SyncDiagnostics log, potentially, and we'll talk about that in
[18:38.840 --> 18:45.360]  a second. There's a .dat file, and so the way it's going to work is if whether it's a personal
[18:45.360 --> 18:51.100]  or business account, it's going to be their CID. So the customer ID number .dat, and so that's
[18:51.100 --> 18:56.260]  going to differ for every system you look at. So one thing there, you get their CID number, or CID
[18:56.260 --> 19:01.340]  string, and once you go into that, you're going to see a list of all the local and cloud files.
[19:01.780 --> 19:08.160]  If you look at the CID.ini file, you're going to see the file store locations, the last sync time,
[19:08.160 --> 19:14.360]  usage details of how they're using OneDrive, and if you look at the CID-profile-service-response.txt
[19:14.360 --> 19:20.340]  file, that's going to give you only for a personal account. For business accounts, it does not exist
[19:20.340 --> 19:25.520]  for my testing, but for personal accounts, it'll get you the name, email address, CID, email,
[19:25.520 --> 19:29.660]  I guess I have email twice there, phone number, title, department, that kind of stuff. I think
[19:29.660 --> 19:34.260]  it's interesting though, because what personal user, or if you sign up for OneDrive, it doesn't
[19:34.260 --> 19:38.840]  ask for that information, like your phone number or your business title. However, that's listed
[19:38.840 --> 19:44.240]  there. So I didn't even see a location when I went to OneDrive.com to go to my profile and actually
[19:44.240 --> 19:48.460]  add a title and department and stuff, which is most of the time why you're going to see those
[19:48.460 --> 19:54.500]  fields as null if you look at that text file. Then there's also an obfuscation string map text file.
[19:55.160 --> 20:01.800]  That one's a little bit interesting, and I'll kind of show you how that works a little bit later. I
[20:01.800 --> 20:07.060]  types of those sync diagnostic log files, and I haven't done extensive testing on this. However,
[20:07.060 --> 20:14.140]  I do have a theory based off my limited testing. So during my testing, I had Office 365 OneDrive,
[20:14.140 --> 20:18.860]  and I had... so it's a business version, right? And I didn't want to go buy 10 different versions
[20:18.860 --> 20:23.820]  to test this, but I got what I'm going to call the summary version of the sync diagnostics file.
[20:23.820 --> 20:28.880]  And I'll show you the two versions. Now, when I set up a free personal account, and I had two
[20:28.880 --> 20:34.300]  virtual machines in my lab environment, the first virtual machine got what I'm calling the detailed
[20:34.300 --> 20:41.260]  sync diagnostics file. It was much more verbose. Then I synced a second virtual machine to basically
[20:41.260 --> 20:45.680]  see how that would work, and I opened up the sync diagnostic file on the second VM, and I got what
[20:45.680 --> 20:52.100]  I'm calling the summary version. So my theory is that it's possibly the first machine you sync
[20:52.100 --> 20:57.900]  with OneDrive, it gets the detailed version, and everyone after that, like the secondary machines
[20:58.840 --> 21:05.360]  within the sync cluster, if you will, those get the detailed version. It's more of statistical data.
[21:06.000 --> 21:11.200]  So let's look at the two different versions. So with the detailed sync diagnostics log file,
[21:11.200 --> 21:16.880]  I can see things here like files and folders that are added. And the weird part, though,
[21:16.880 --> 21:22.420]  is you'll see mount point followed by what looks like a GWID, or a CID followed by some kind of
[21:22.420 --> 21:28.160]  unique character. And then it'll have a backslash, and then it'll have three words like far, jump,
[21:28.160 --> 21:36.280]  sue, sea, bat, egg, car, reg, tax, rat, tad, up. So there are three words grouped together.
[21:36.680 --> 21:40.020]  And when I first looked at that, I thought, what the heck is this? Obviously, there's some kind of
[21:40.020 --> 21:44.740]  pattern going on, you know, three different words in the capitalization, but where is this coming
[21:44.740 --> 21:50.960]  from? I don't have any files called far, jump, saw, or sue, or sea, bat, egg. That's not a folder
[21:51.520 --> 21:57.360]  that I added. I'll show you how that works in a second, but we'll come back to that. On the right
[21:57.360 --> 22:01.520]  hand side there, I've got the summary diagnostics file, which is the other version where you get
[22:01.520 --> 22:07.800]  more of stuff like this, where you get sync progress, you get the last sync time in Unix
[22:07.800 --> 22:14.640]  epoch, you get the number of files uploaded, downloaded, files, folders created, you get
[22:14.640 --> 22:20.080]  basically more of summary type data. Now, going back to that detailed version, what I eventually
[22:20.080 --> 22:27.420]  figured out is that those names, those three word names like sea, bat, egg, or far, jump, sue,
[22:27.420 --> 22:33.520]  those things map back to the obfuscation string map. So I don't really have a knowledge of why
[22:33.520 --> 22:37.580]  Microsoft did this, but I do find it interesting that if you go to the sync diagnostics,
[22:37.580 --> 22:44.340]  you're not going to see the actual file names, you're seeing those obfuscated strings. It's not
[22:44.340 --> 22:49.900]  terribly difficult to de-obfuscate them, it's just time consuming. And I'm sure someone's written a
[22:49.900 --> 22:55.580]  parser for this, but you have to open up that string obfuscation map text file, and there you
[22:56.280 --> 23:00.960]  can then map back those files. And we can see on the left side, I have sea, bat, egg, which is
[23:00.960 --> 23:05.800]  equivalent to my desktop. So basically, the sync diagnostics folder is saying that my desktop was
[23:05.800 --> 23:11.920]  synced. That folder was added to the sync. Okay, and here's just, again, another example,
[23:11.960 --> 23:17.160]  a little bit bigger, where you could see that those different names, like joke, yak, log,
[23:17.160 --> 23:25.040]  equates to my C directory. Or coy, you, quill, that's going to be myly, which is probably my
[23:25.040 --> 23:32.560]  user's directory. Okay, the CID.dat file, it's a little hard to read. If you open it up in the
[23:32.560 --> 23:37.800]  editor, you will kind of see the file names. However, searching, I wasn't able to do this.
[23:37.800 --> 23:42.400]  And I do think it's because, obviously, those dots that are between each character, and I'm
[23:42.400 --> 23:47.320]  pretty sure there's a way to search more human readable. But when I search for travel, or
[23:47.320 --> 23:53.800]  itinerary, or PDF, it was not found because of those dots. So you can parse through that manually,
[23:53.800 --> 23:58.100]  but a better version is probably, or a better way to do that is probably using something like
[23:58.100 --> 24:06.560]  strings, or B strings. So here I use strings against that CID.dat file on the personal version.
[24:06.560 --> 24:10.740]  And I was able to extract things there that are human readable, like documents, personal,
[24:10.740 --> 24:17.520]  vault, pictures, camera roll. Those other things up there, as far as like E94, 23, blah, blah, blah,
[24:17.520 --> 24:22.760]  explanation point, explanation point 104, I don't know what those are. And they come back to haunt
[24:22.760 --> 24:27.520]  us in the business version as well. I'm not sure if those are like the CID, and then some
[24:28.100 --> 24:33.960]  inode ID. I'm still doing some research into that piece. Now on the business version, though, if we
[24:33.960 --> 24:41.240]  look at the CID.dat file, it's not as easy. We don't see as clear things, even if we pull it out
[24:41.240 --> 24:45.120]  in strings. However, when I started looking through this, I saw what looked again like
[24:45.120 --> 24:51.560]  quids, or maybe hashes there. And so I'm thinking more along the lines of their MD5 hashes. But when
[24:51.560 --> 24:57.260]  I tried to search that in the string obfuscation text file, it doesn't pull things up properly.
[24:57.260 --> 25:01.460]  We can see that that hash or that string is mapped somewhere, but it doesn't really tell us
[25:01.460 --> 25:07.820]  what it is. It says something like 23-paged CT equals one. I don't really know what that maps
[25:07.820 --> 25:14.680]  back to. So on the business versions, we didn't really get a full list of files and folders that
[25:14.680 --> 25:22.500]  were added. With the CID.ini, we could see things there like the location or the URL for their OneDrive
[25:22.500 --> 25:28.380]  or their Google Drive, sorry, not Google Drive, their OneDrive or their share file, I'm sorry,
[25:28.380 --> 25:34.500]  share sync. And then with the last refresh time, it's in Unix Epoch, we can see the last time they
[25:34.500 --> 25:38.620]  actually synced if they've got the up-to-date versions. You could see even there, I've got
[25:38.620 --> 25:42.340]  all the different libraries that are shared with me, and we could see even the amount of
[25:42.340 --> 25:49.680]  bytes transferred. Now that CID.dash profile service response, that one will give us, as I
[25:49.680 --> 25:54.560]  mentioned, only for the personal version of Office 365, I'm sorry, personal version of OneDrive,
[25:54.560 --> 25:58.660]  you've got things like the display names. We could see Michael Wiley or Mike Wiley there.
[25:58.660 --> 26:03.740]  We could see the ID or the CID of my user. We can see the email address that I have registered
[26:03.740 --> 26:09.120]  there. So it was a Gmail account. We could see a business phone number, which again, I don't know
[26:09.120 --> 26:14.180]  why is there, and every time I've looked is null. Same thing with job title, mobile phone, office
[26:14.180 --> 26:21.500]  location, that kind of stuff. I did try and compare the registry keys. So in my lab environment,
[26:21.500 --> 26:28.620]  I went ahead and installed or activated OneDrive for business, and I recorded all the different
[26:28.620 --> 26:33.520]  registry keys that I saw. Then I did that for the personal version, which is that middle column
[26:33.520 --> 26:38.360]  there, to see which registry keys were added. You can see there's a lot less. And then I tried
[26:38.360 --> 26:43.880]  to do essentially a merge of those and see which were common, so that way we can identify which
[26:43.880 --> 26:48.240]  registry keys were not common. And so the only two keys in the personal version that are different
[26:48.240 --> 26:54.640]  are isUpgradeAvailable and VaultShortcutPath. Otherwise, everything in the personal registry
[26:54.640 --> 27:00.380]  keys, they're also going to be for the business keys. Hey, one interesting registry key that we
[27:00.380 --> 27:05.380]  can find is that if we do a reg query or we use in the lab environment, I'm going to give you
[27:05.780 --> 27:10.720]  a dump of the registry. So you can't obviously do a live query like I'm doing here on the screen,
[27:10.720 --> 27:17.660]  but with the business version of OneDrive or Office 365, what happens is if you go
[27:17.660 --> 27:23.340]  into HKeyCurrentUser, Software, Sync Engines, Providers, OneDrive. When we go into there,
[27:23.340 --> 27:30.080]  you're going to see potentially multiple different keys there. And what looks like a
[27:30.080 --> 27:37.880]  bunch of random characters like B736EE blah, blah, blah, plus one. And then you see C4F29 blah,
[27:37.880 --> 27:45.160]  and so on and so forth. So those are actually what I think is the CID for users that have shared
[27:46.000 --> 27:50.140]  folders with the user you're looking at. So you can go in here again, depending on your
[27:50.140 --> 27:54.460]  perspective, if it's offensive or defensive, but you can now see that they have access to other
[27:54.460 --> 28:00.000]  users files. Or if you're doing incident response or forensics, you can see that they might have
[28:00.000 --> 28:05.340]  data that's mapped there that doesn't belong to them. Now, if you do another reg query below that
[28:05.340 --> 28:13.620]  on one of those CIDs, so the B7 blah, blah, blah, if you go ahead and do a reg query on that string,
[28:13.620 --> 28:16.400]  what's going to happen is you're going to see more keys under there, and you're going to see
[28:16.400 --> 28:21.340]  the actual name, what they're calling the mount point of what's shared to them. So now I can see
[28:21.340 --> 28:26.720]  there's a projects documents directory that they don't own, but someone shared with them and they
[28:26.720 --> 28:31.160]  added to their OneDrive. And then obviously, you can also see the URL namespace. So you can
[28:31.160 --> 28:36.000]  actually see the URL to get that. So if you are on their machine, you could possibly pop in that
[28:36.000 --> 28:40.380]  URL into their browser. And if it's cached, you might be able to actually get that as well.
[28:41.100 --> 28:46.000]  One thing to note with these tests, though, if someone shares something with the user,
[28:46.000 --> 28:50.260]  it doesn't automatically mean you're going to see it when you do the reg query. They do have to
[28:50.260 --> 28:56.600]  press add to your OneDrive in order for that to now show up in the registry. So once they press
[28:56.600 --> 29:02.100]  add on the web browser version of OneDrive, if they click add this shared folder, for in this
[29:02.100 --> 29:06.080]  case, I did test on a personal account, when you do the reg query, you're going to be able to see
[29:06.080 --> 29:10.400]  that there. And so the difference between the business version here and the personal version
[29:10.400 --> 29:15.660]  of OneDrive is that with the personal version, there is no CID of the user that shared it.
[29:15.660 --> 29:20.640]  Instead, you're just going to see the name of the shared folder. If you dive into that a little
[29:20.640 --> 29:25.500]  deeper with another reg query, we can actually see the CID of the user that shared it with them.
[29:25.500 --> 29:31.220]  Possibly if you've compromised multiple machines with an organization, you can look at that the CID,
[29:31.220 --> 29:35.300]  or if you're on the defensive side, you can take a look at that and say, well, I know Bob or Betty
[29:35.300 --> 29:42.260]  or Joe or whoever shared this with that person. One other thing just to know about a lot of these
[29:42.260 --> 29:48.100]  tools, I'm just going to focus here on OneDrive for a second, is that with Microsoft OneDrive
[29:48.100 --> 29:53.840]  space saver, it basically allows you to not sync everything. And I remember back in the day,
[29:53.840 --> 29:59.200]  Dropbox was the first cloud file storage solution that I used. And when I would sync that, I had
[29:59.200 --> 30:06.620]  multiple directories and subdirectories. The challenge I had was that I couldn't get enough
[30:06.620 --> 30:11.580]  space off of my machine. I had terabytes of data, and I would try and say, don't sync this folder,
[30:11.580 --> 30:17.640]  but I really wanted a subfolder within that. So it was challenging to tell Dropbox which
[30:17.640 --> 30:22.740]  folders to sync, which folders not to sync, get what I wanted, and also not fill up my hard drive.
[30:23.380 --> 30:29.140]  So Microsoft OneDrive, their solution to that is called space saver. And what that'll do is that
[30:29.140 --> 30:35.100]  it doesn't download everything. It'll essentially get you a cached copy of the file name, and you'll
[30:35.100 --> 30:39.980]  see there that it's got a little cloud that's empty, and it basically means that it's cloud only.
[30:40.000 --> 30:45.940]  However, you can double click on that file, and it will then be cached locally, which will have a
[30:45.940 --> 30:51.540]  green check mark. Now, that'll eventually go away. I don't have documentation on how long it stays
[30:51.540 --> 30:56.480]  cached locally, but if you want it to stay always locally so you could access it when you're on an
[30:56.480 --> 31:00.780]  airplane or train or you don't have internet access, you could right click and say always
[31:00.780 --> 31:07.660]  keep on this device. So now what we're going to do is we're going to dive into the OneDrive lab.
[31:07.660 --> 31:13.340]  I do have a scenario for you that I don't think I properly put into the slides here.
[31:13.400 --> 31:18.460]  So what I'm going to have you do is go to the GitHub repo, make sure you've got, again, those
[31:18.460 --> 31:25.860]  four tools that you're going to use, the database browser, Notepad++, so on, so forth, and I want
[31:25.860 --> 31:31.540]  those two tools installed. And then I want you to go ahead and extract the evidence-desktop-q50
[31:31.540 --> 31:38.460]  blah blah blah dot zip file, which has all the artifacts for the lab. And then I want you to
[31:40.620 --> 31:45.820]  start just looking at those files and seeing that it looks like basically a C drive, but it's only
[31:46.000 --> 31:51.940]  a couple megs in size. What I'm going to do while you get that going, and if there's
[31:51.940 --> 31:55.400]  any questions, obviously post them there on YouTube in the comments, and those will be
[31:55.400 --> 32:02.320]  relayed to me so I can answer those questions. I'm going to go ahead and get the scenario
[32:02.320 --> 32:05.860]  built up. I'm going to put that on the screen so you have the scenario in front of you so you could
[32:05.860 --> 32:11.100]  see what we're doing. Obviously, there could be many different scenarios, but I tried to make this
[32:11.740 --> 32:16.440]  fake scenario up, do it in the lab, and then I collected those artifacts for you to kind of dig
[32:16.440 --> 32:20.940]  into. So what you're going to want to do is open up, and I'm going to do here on my screen,
[32:21.920 --> 32:28.120]  there's three Word docs that are lab files. And the first one we're going to do here is OneDrive,
[32:28.120 --> 32:34.780]  so it should be examining cloud file storage incidents dash lab dash OneDrive. So I'm going
[32:34.780 --> 32:43.520]  to make this bigger on my screen for you. Expand that, zoom in, and this tells you here to navigate
[32:43.520 --> 32:50.360]  to the CID dash profile services, and there's a question you're going to answer. So you basically
[32:50.360 --> 32:55.820]  have to answer, what's Bob's Microsoft OneDrive CID? There's another question here, examine this
[32:55.820 --> 33:00.540]  file, get the user principal name. So these are questions that you're going to go ahead and answer
[33:00.540 --> 33:05.440]  and walk you through. Now, I will tell you, if you're stuck, or you've never done this before,
[33:05.440 --> 33:09.700]  and you need some help, what I have is all the way at the bottom, if you keep scrolling down,
[33:09.700 --> 33:16.340]  there should be a detailed walkthrough. So it'll give you the question again, exactly as you saw
[33:16.340 --> 33:21.180]  it before. And it'll give you then, or the steps, the question, and then it'll also give you the
[33:21.180 --> 33:26.140]  answer. And a lot of times here at the answer, what I also do is I give a screenshot. So if you
[33:26.140 --> 33:31.240]  want to walk through this, and you've got less experience, and you're saying, it's all too new
[33:31.240 --> 33:35.540]  to me, well, then just kind of walk through this, and you should be able to see the same exact things
[33:35.540 --> 33:40.420]  on your system. So I'm going to go silent for a little while on mute here. So you have a little
[33:40.420 --> 33:44.960]  bit of time to walk through these labs. When you're done, if you could start commenting and
[33:44.960 --> 33:50.140]  let us know on YouTube, that way I can get an idea of when the first 10 or 15 people are done,
[33:50.140 --> 33:55.140]  and we can kind of move on from there. So as I mentioned, go ahead and open this lab file,
[33:55.140 --> 33:58.300]  get started on that. I'm going to put on my screen in just a second here,
[33:58.300 --> 34:02.160]  the scenario, and I'll start talking about that scenario. Apologize, I didn't have that teed up
[34:02.160 --> 34:13.920]  for you. Hey, Michael, a quick question in the chat around cloud file storage security.
[34:14.480 --> 34:20.620]  Do you have any recommendation for, you know, scanning files for any malicious links or
[34:20.620 --> 34:25.760]  malicious files themselves? Any tools, something along those lines?
[34:26.440 --> 34:35.120]  Yeah, so a lot of the tools or the different solutions nowadays, they have AV built in.
[34:35.120 --> 34:42.300]  I don't know a lot of details about what they are. I can tell you that they are getting really good.
[34:42.800 --> 34:46.900]  I haven't done a full test where I've gotten, let's say like 1500 malware samples,
[34:46.900 --> 34:50.620]  uploaded them all to see what happens. But I can tell you from experience, both
[34:51.220 --> 34:58.920]  Google Drive as well as OneDrive has eaten up my malware samples that I have placed there for
[34:58.920 --> 35:06.820]  different lab environments. Even when I have encrypted and password protected zip files with
[35:06.820 --> 35:13.460]  malware built into them, both Google Drive and OneDrive have opened them up and used the password
[35:13.460 --> 35:17.940]  infected to look inside of them. I was kind of blown away the first time I saw it. And they're
[35:17.940 --> 35:22.540]  constantly improving it. They don't provide a lot of detail to that. So I used to keep a lot of my
[35:22.540 --> 35:30.900]  malware in like Google Drive. And even more so, I now sometimes have PCAP files, so network traffic
[35:30.900 --> 35:36.240]  that I have collected. And well, an incident happened. So let's say a user downloads a copy
[35:36.240 --> 35:42.020]  of WannaCry. I captured that network traffic. Within that PCAP, there's a lot of stuff. There's
[35:42.020 --> 35:48.200]  ping, there's all kinds of stuff in there. But there is an object, right? So they downloaded
[35:48.200 --> 35:54.760]  that file. And if it's over a clear text protocol, all those bits and bytes and everything are
[35:54.760 --> 36:01.740]  sitting in there. Nowadays, OneDrive will actually flag that. My PowerPoint slides for my incident
[36:01.740 --> 36:08.180]  response workshop for Wireshark, I can no longer share my PowerPoints. And it won't even let me
[36:08.180 --> 36:13.180]  download it to my computer. I actually have to go to OneDrive, confirm that I realized that they
[36:13.180 --> 36:19.060]  have found a virus within a PCAP file, and then confirm that I guarantee I'm serious, I do want
[36:19.060 --> 36:22.840]  to download that, and it'll let me download it. But they will not let it sync, and they will not
[36:22.840 --> 36:28.300]  let me share it. So a lot of the tools, I can't speak on all of them and what their engines are
[36:28.300 --> 36:33.220]  like, but I can tell you they're getting pretty good at finding stuff, even opening zip files with,
[36:33.220 --> 36:38.000]  I'm guessing they're using common passwords, like infected, you know, password. And they're
[36:38.000 --> 36:42.900]  trying to open up your zip files and scan those as well. If you do want a little bit more security
[36:42.900 --> 36:48.000]  on top of that, and you want to know what's going on, CASB solutions will do that. I don't use CASB
[36:48.260 --> 36:52.900]  a lot. However, I have used things like managed methods, we're a partner with them. And I went
[36:52.900 --> 36:58.060]  through some of their documentation, and I saw that they have a back end relationship with one
[36:58.060 --> 37:03.580]  of the AV vendors. And by adding CASB on top, it's scanning that. I would say if you're looking
[37:03.580 --> 37:08.740]  for other things too, Microsoft is building more and more built in. So they've got their
[37:08.740 --> 37:16.360]  kind of CASB solution built into Office 365. But if you want a third party, that's where it's going
[37:16.360 --> 37:20.620]  to help you scan for stuff. So again, I'm going to go back to the tool I know, not saying they're
[37:20.620 --> 37:27.640]  the best, but I just know managed methods. I build out a lot of regex queries for things like
[37:27.640 --> 37:35.200]  social security numbers, for things that look like or password, username, stuff like that. So
[37:35.200 --> 37:41.800]  it's doing antivirus scanning on top of what already Office 365 is doing. And then it's also
[37:41.800 --> 37:47.580]  letting me do custom queries for things like PCI, HIPAA, and just stuff that shouldn't be stored in
[37:47.580 --> 37:56.110]  OneDrive, like usernames and passwords and stuff like that. Yeah, I, you know, within my limited
[37:56.110 --> 38:02.770]  experience, I have similar experiences, the cloud vendors are getting really good at defending their
[38:02.770 --> 38:07.410]  own environment. It makes sense, right? I mean, they don't want to be hosting and especially if
[38:07.410 --> 38:11.530]  they have that shared cloud responsibility model, they've got a lot of that on their side. And they
[38:11.530 --> 38:17.610]  don't want you having things that are doing evil, or someone says, Oh, I got it from a Google Drive
[38:17.610 --> 38:22.570]  link or something like that. So they have got, I'm sure some pressure to make sure that they're
[38:22.570 --> 38:28.750]  keeping their customer safe and not spreading malware either. But, you know, when they did
[38:28.750 --> 38:33.910]  open my zip file, I was shocked because it had a password. When they started scanning my PCAPs
[38:33.910 --> 38:39.570]  and identifying malware in those, I was even more shocked, but good for them. This was the case,
[38:39.570 --> 38:44.890]  I don't know why this isn't in my slides, I must have missed this. But basically, this is the
[38:44.890 --> 38:49.790]  scenario that they built out for this workshop when it was the first time I did it was a four
[38:49.790 --> 38:55.570]  or five hour workshop. So you're working the case of the Mike Wiley LLC case, this is going to be
[38:55.570 --> 39:00.570]  more of a defensive incident response forensics type of case. But again, these concepts can be
[39:00.570 --> 39:07.150]  used for both sides. So you've got Bob McLee, who is a senior manager of operations. The Mike Wiley
[39:07.150 --> 39:13.710]  LLC firm is a boutique real estate investment firm in Los Angeles. Bob is a senior manager
[39:13.710 --> 39:20.690]  who abruptly left the firm on 4-17-2020 in the morning. Days prior to Bob leaving,
[39:20.690 --> 39:26.370]  he stepped down from all committee positions, so all board positions he was on. On Friday afternoon,
[39:26.370 --> 39:32.430]  Bob updated his LinkedIn profile to co-owner of a competing real estate investment firm called
[39:32.430 --> 39:39.030]  REMAX also. Within hours of Bob's departure, key clients gave contract cancellation notices.
[39:39.030 --> 39:44.250]  The Mike Wiley LLC management believes that Bob may have violated his non-compete and non-solicit
[39:44.250 --> 39:51.570]  clause. The Mike Wiley LLC hires a forensic incident response consulting firm to get
[39:51.570 --> 39:56.110]  evidence of any violations of non-solicit, so you're part of that consulting firm. The company
[39:56.110 --> 40:02.390]  did not have an approved cloud file storage solution, and some users would share files using
[40:02.390 --> 40:10.510]  personal accounts for business reasons. According to HR, Bob's personal email address is
[40:10.510 --> 40:18.010]  bob.maclee.re at gmail.com. So you've got that basic information about the incident,
[40:18.010 --> 40:22.570]  and as you work through that, you could start seeing what kind of files. Is there anything
[40:22.570 --> 40:27.690]  putting on your defender's hat, your incident response or forensics hat? Was there anything
[40:27.690 --> 40:33.250]  that that user looked at, touched, synced, that kind of thing? And so I'm guiding you through in
[40:33.250 --> 40:38.430]  the lab, going across that, trying to see what are some of those things that you can uncover
[40:38.430 --> 40:44.410]  using some of this. And so what I did, just for a little background, is I had the web browser
[40:44.410 --> 40:51.050]  opened up with all four platforms. I had OneDrive, Google Drive, Box, Dropbox, actually in Citrix,
[40:51.050 --> 40:58.410]  I had five platforms. Then I also had two virtual machines. I had a primary one, which is the
[40:58.890 --> 41:05.330]  information that you have, which I extracted out as the incident responder. I then also had a
[41:05.330 --> 41:09.430]  second VM that you don't have access to. So there's three different possibilities. There could be
[41:09.430 --> 41:14.110]  stuff on the web, there could be stuff on the VM you have, or a third-party VM, which is probably
[41:14.110 --> 41:19.050]  their personal home machine. So there's possibly three different cases where files
[41:19.050 --> 41:23.230]  could be added, removed, deleted, that kind of stuff. And so as we walk through, you could answer
[41:23.230 --> 41:28.570]  all the questions within OneDrive, but what I try to do is have you answer certain questions
[41:28.570 --> 41:33.210]  with OneDrive. Then later on, we're going to go to Dropbox, and you're going to answer some
[41:33.210 --> 41:36.970]  questions through that. And then we're going to go to Google Drive, and you'll answer more questions.
[41:36.970 --> 41:41.470]  So you could answer all of these questions and get all this information from one solution,
[41:41.470 --> 41:47.590]  but every time I added a file, I added it to all five different solutions. Citrix, Box, Dropbox.
[41:47.590 --> 41:53.410]  And so I wanted those same actions to happen across the board, but I wanted you to answer
[41:53.410 --> 41:57.150]  them, again, using the different tools and know where to find them with the different solutions. So
[41:57.150 --> 42:00.990]  hopefully that makes a little more sense of what we're doing and why we're doing it.
[42:02.030 --> 42:09.250]  And again, if you missed it, we are looking at the OneDrive lab file where we've got the walkthroughs.
[42:10.510 --> 42:15.690]  Any comments or questions on YouTube? Anyone stuck? Anyone done?
[42:17.590 --> 42:25.350]  I do have a question, which is not related to the lab, but your opinion on adoption of
[42:25.350 --> 42:30.070]  CASB in relation to layered protection for cloud assets?
[42:31.670 --> 42:40.590]  Good question. I think it's got its purpose. I think there's different use cases. So let me
[42:40.590 --> 42:45.210]  go into one where I think it's definitely useful, and then I'll go into another one where it's not.
[42:45.210 --> 42:51.270]  So we work with, as I mentioned, a lot of studios and post-production houses that receive
[42:51.270 --> 42:57.270]  the raw footage of the movies that are in the theater. And the challenge that we have is with
[42:57.410 --> 43:02.850]  a lot of studios, they've got what's... they're very concerned about the data getting leaked,
[43:02.850 --> 43:09.270]  especially after you look at Larson Studio was compromised by a hacker or hacking group,
[43:09.270 --> 43:15.910]  and the contents of Orange is the New Black was held for ransom. I think it was like $97,000
[43:15.910 --> 43:22.550]  or $60,000. I can't remember the exact amount. And then basically signed a contract and give
[43:22.550 --> 43:27.010]  us this money in Bitcoin, and we won't release it to Pirate Bay. They ended up releasing it anyways.
[43:27.650 --> 43:32.550]  So the studios have gotten very strict on that, and they've got a 96-page document called the
[43:32.550 --> 43:37.690]  MPA Content Security Best Practices, and it's got everything. I mean, you should have a security
[43:37.690 --> 43:43.970]  guard walking around 24-7. How do you handle their keys? You have to have an inventory of
[43:43.970 --> 43:49.230]  every master key. When you're editing any content, it should be in a locked room with unique
[43:50.330 --> 43:56.130]  keys to get in, like a combo lock. And that logging on that lock has to be for 12 months,
[43:56.130 --> 44:00.550]  and you have to have a CCTV camera at your employees. And when your employees enter and
[44:00.550 --> 44:04.810]  exit the room, you have to search them. They can't have personal items in the room. If they do,
[44:04.810 --> 44:09.570]  it has to be a clear bag. It just goes on and on that most people can't really do that.
[44:10.170 --> 44:15.710]  So one thing, though, is that the point of that is that the studios are very strict about,
[44:15.710 --> 44:19.690]  you have to take our content, such care of our content, and how you work on our content
[44:19.690 --> 44:23.810]  while it's in your environment, Mr. Post-Production House or VFX House.
[44:24.550 --> 44:29.290]  Now, a lot of times, though, and I won't name which studios, but a lot of studios will still
[44:29.290 --> 44:35.450]  send the raw content of Batman or whatever it is. I just used Batman as an example, but they'll
[44:35.450 --> 44:42.110]  send the link for that to download the raw footage of this blockbuster movie. And they'll send that
[44:42.110 --> 44:47.550]  via email with the URL and username and password to download that. Sometimes they'll also send it
[44:47.550 --> 44:54.190]  over FTP, not the password, but they'll send the actual content over FTP. So I kind of feel like
[44:54.190 --> 44:59.590]  that's saying to the studio, to the vendor sometimes, it's like, hey, we're going to give
[44:59.590 --> 45:03.470]  you a gun, but you need to be so careful with it, you need to take a safety class, you need to
[45:03.470 --> 45:08.570]  buy a lock, you need to have a safe, you need to be in a room that's got bulletproof walls and all
[45:08.570 --> 45:13.730]  this stuff. But here you go, and they give you an unloaded gun without the safety on.
[45:13.870 --> 45:18.870]  And so in those situations, we've recommended, even though it's not part of the MPA best practices for
[45:18.870 --> 45:26.310]  our vendors, to basically, for their protection, is if you get handed a loaded gun, a CASB solution
[45:26.310 --> 45:33.190]  may be able to identify those links that come in, and then track everything about it. And it'll
[45:33.190 --> 45:38.670]  basically see if the... it'll almost alert. So when those links come in and possibly username and
[45:38.670 --> 45:44.470]  password from the studio, in an insecure matter, it is then tracked and logged and any type of
[45:44.470 --> 45:48.570]  action around that email is then alerted. Because we can't control the studio is going to hand a
[45:48.570 --> 45:54.370]  loaded gun to our clients, but we can control then how we're monitoring, logging, and preventing that
[45:54.370 --> 45:59.590]  from going out. So the CASB solution lets us keep track of that. And if it's ever forwarded to a
[45:59.590 --> 46:04.810]  personal account or anyone outside the company, we get alerted to that. Some CASB solutions will
[46:04.810 --> 46:10.690]  actually allow you to break links. So if someone puts a file up in Dropbox, or they try and share
[46:10.690 --> 46:16.090]  it, it'll break that link. So in those cases of detecting and sometimes preventing, but mostly
[46:16.090 --> 46:21.290]  detecting data leaving or being shared or forward and stuff like that, we absolutely recommended
[46:21.290 --> 46:28.950]  that to the client. Now, other cases, we have a CPA firm that's one of our clients, and they
[46:29.870 --> 46:34.270]  didn't really have a need for that. We got CASB involved originally, but we found out really,
[46:34.270 --> 46:37.510]  they just didn't want anyone to share anything outside the company. There was no use case for
[46:37.510 --> 46:43.310]  that. So we just disabled sharing. And in that case, we didn't really need CASB. So you kind of
[46:43.310 --> 46:47.270]  have to look at what functions you're worried about. Do you want the antivirus scanning? Do you
[46:47.270 --> 46:54.210]  want the regex queries? Do you want to be able to be alerted on certain events? I think a lot of it,
[46:54.210 --> 46:58.490]  you can actually do now with OneDrive. If you integrate that with a tool like Sumo Logic,
[46:58.490 --> 47:02.730]  you could do a lot of alerting on that. But again, every use case is different and depending on what
[47:02.730 --> 47:06.430]  you're storing there. So it's a long winded answer, but there's a lot of depends, but there's
[47:06.430 --> 47:11.670]  some really useful features. In other cases, a lot of businesses, I say, no, it's not right for you.
[47:13.970 --> 47:20.250]  Got it. And then another question, is there any form of encryption adopted by OneDrive that
[47:20.250 --> 47:26.250]  minimizes the risk of disclosure? I'm making reference to access the local files in plain
[47:26.250 --> 47:33.470]  file. Got it. So not that I'm aware of. No, I think they're obviously in transit. OneDrive,
[47:33.470 --> 47:40.390]  Google Drive, all that stuff is traversing over SSL TLS. And so it's essentially encrypted in
[47:40.390 --> 47:44.990]  transit. And then I'm assuming it's encrypted also when it's sitting there in the cloud.
[47:45.430 --> 47:51.110]  But on the local file system, no. I mean, once it's sitting there, it's sitting there.
[47:52.690 --> 47:58.970]  Couple caveats though, is that a lot of those caching or those shell files, where it's only
[47:58.970 --> 48:03.850]  the file name, but it's not actually downloaded. I've had issues with that. And I could see where
[48:03.850 --> 48:08.210]  that could almost benefit you from security standpoint, is that if you try and copy all
[48:08.210 --> 48:13.050]  the files in OneDrive onto a thumb drive or something else, it has to download each one
[48:13.050 --> 48:17.990]  and then move it over. And if it doesn't have connectivity or you're signed out or anything
[48:17.990 --> 48:22.550]  like that, it will error out. It won't actually copy those files over. It's really just a shell
[48:22.550 --> 48:27.870]  or a shortcut that points to that file. So not really encryption, but that's, I mean,
[48:27.870 --> 48:33.170]  that's one security measure. I guess it wasn't meant as a security measure, but it helps you out.
[48:34.070 --> 48:39.530]  And then every solution we're going to look at today, all of them, all this local stuff,
[48:39.530 --> 48:44.970]  like the caches, the logs, everything is in clear text. So you have access to all the databases
[48:44.970 --> 48:51.430]  from all these tools. OneDrive doesn't use databases, it uses the registry, but Google
[48:51.430 --> 48:57.550]  Drive, Box, Dropbox, Citrix ShareFile, they all use SQLite databases, and all of them are in clear
[48:57.550 --> 49:01.570]  text. So you don't even need a password, you just open them up and you get access to all this stuff.
[49:02.210 --> 49:06.910]  With the caveat of Dropbox, and Dropbox is the only one that actually encrypts their databases
[49:06.910 --> 49:14.590]  and some other stuff at rest. So the files are not, but at least the database and the metadata,
[49:14.590 --> 49:17.970]  you won't be able to get into that unless you do some further exploits.
[49:20.190 --> 49:24.810]  Okay, so let me do a quick walkthrough on this, and then we'll move on to the next piece.
[49:24.810 --> 49:30.650]  So the first one, it says to go ahead and navigate over to the cid-profileserviceresponse.txt file
[49:30.650 --> 49:36.190]  and open it with Notepad++. So some of this, I might have an issue with my walkthrough because
[49:36.190 --> 49:42.150]  my VM that I normally use for this, I haven't touched it in a while, and I forgot the password.
[49:42.150 --> 49:46.070]  So I had to like last night, all of a sudden move all these artifacts over and try and get it reset
[49:46.070 --> 49:52.770]  up. So if it's a little bumpy, I apologize. So you've got, if you extract that zip file
[49:53.490 --> 49:57.890]  that I've got with the evidence, basically, you're going to see a folder structure of C,
[49:57.890 --> 50:01.130]  essentially, if you were on the file system, you'd click on the C drive.
[50:01.350 --> 50:04.790]  And then you're not going to see everything, but you're going to see the things that I extracted
[50:04.790 --> 50:09.650]  with CAPE within 10 seconds. So an incident happened, you know, Bob McLee called us in,
[50:09.650 --> 50:15.050]  or not Bob McLee, but the Mike Wiley LLC about Bob McLee, and said, we think there's an issue,
[50:15.050 --> 50:21.290]  please, you know, figure out what happened. So what I did is I grabbed CAPE, a tool,
[50:21.290 --> 50:27.590]  and I basically then, I've got a custom CAPE target that extracts all stuff related to cloud
[50:27.590 --> 50:33.290]  storage solutions. I said, collect it from this hard drive, the C drive. And within 10 seconds,
[50:33.290 --> 50:38.670]  it created the zip file for me, or for us. And it gives us all relevant information to these Google,
[50:38.670 --> 50:43.470]  or not Google Drive, but these cloud file storage solutions. So we're going to go over to users,
[50:43.470 --> 50:48.410]  Bob, for Bob McLee, we're going to go to app data, local, Microsoft. And so you can see,
[50:48.410 --> 50:57.570]  this is most of the data we're going to look at today. But we're going from Microsoft,
[50:57.570 --> 51:00.870]  there was no business account. So this was not a paid subscription,
[51:00.870 --> 51:03.730]  this is a personal account. So immediately, we notate that for our incident,
[51:04.330 --> 51:11.170]  we go into personal, and then we should see that CID dash profile service response.
[51:11.170 --> 51:18.170]  So what's Bob's Microsoft OneDrive CID? Well, it's right here. Okay, so we've copied that we
[51:18.170 --> 51:25.490]  now know that CID in case we see it elsewhere. The next question asks us, examine this file and
[51:25.490 --> 51:31.410]  look for the principal name. So we want to double click on this. And we just make this larger for
[51:31.410 --> 51:43.950]  you. Word wrap, edit, and format. Okay, and so we could see here, obviously, that they're using
[51:44.790 --> 51:50.810]  OneDrive principal name, Bob McLee, so we have the right computer. We could see their CID again,
[51:50.810 --> 51:56.050]  right here, we see their email address. So it was bob.mcleegmail, this matches what HR told us is
[51:56.050 --> 52:00.530]  their personal email address. And then we don't see a phone number, job title, as in most cases,
[52:00.530 --> 52:08.470]  we won't. Okay, the next question is, what is the device ID of the system you're investigating,
[52:08.470 --> 52:14.210]  right? So we want to see, we didn't do the acquisition, all we did was given the zip file,
[52:14.210 --> 52:18.910]  and we want to know, well, which system is this in case we have to go to court. Okay, so I want
[52:18.910 --> 52:25.370]  to go ahead and go over to OneDrive logs, and then personal. So I'm going to close this, and go back
[52:25.370 --> 52:32.090]  to OneDrive, logs, personal. And then within here, I'm going to go ahead and look for the sync
[52:33.290 --> 52:40.710]  diagnostics file. So I got this one. Let me see if I have notepad++. Perfect. This is going to be a
[52:40.710 --> 53:01.450]  little easier. Okay, and so within here, we can see the question was, what's the device ID? So
[53:01.450 --> 53:11.140]  my device ID. So we see we copy that, and that's got a unique device ID. Get on my zoom here.
[53:15.030 --> 53:20.470]  Okay, and then the next question is, how many files folders are synced? So we can just look
[53:20.470 --> 53:26.530]  through here for files. 13 files were synced. Let's see if I can just make this view a little
[53:26.530 --> 53:38.410]  better for you. Zoom in. There we go. That's much better. Okay, so files, there's 13 folders,
[53:38.410 --> 53:42.170]  there's three, so we can see that they're not really a big user, but there might be some
[53:42.170 --> 53:46.190]  interesting files and folders we want to look at. But essentially, there's 13 files that we're
[53:46.190 --> 53:57.160]  looking for. Okay, and then we want to look for... next step is to navigate over to
[53:59.300 --> 54:03.500]  personal, and we want to open up the obfuscation string map. So I'm going to close this or just
[54:03.500 --> 54:10.980]  minimize that. Go back here. Obfuscation string map, we'll open that up as well. And so now we
[54:10.980 --> 54:15.420]  can see, even if we don't know everything, we can start getting on the right hand side here,
[54:15.420 --> 54:23.000]  I can see different files and folders. So I see that C drive, users, Bob, metadata, app data.
[54:23.840 --> 54:28.460]  Scroll down, we can look for anything that's interesting here. Okay, we've got Bob again,
[54:28.460 --> 54:36.440]  desktop, users. Okay, keep scrolling down, we could see email address, I see there's some type
[54:36.440 --> 54:47.360]  of possibly PowerPoint, some mail. Okay, client. So there might be a client's folder we're looking
[54:47.360 --> 54:52.500]  for. But you could just start parsing through this and start seeing different possible file
[54:52.500 --> 54:57.860]  names or things that are interesting. Imagine if you see like password, or, you know, here's some
[54:57.860 --> 55:03.320]  messages or messaging possibly. You know, you can just parse through that. At the very, at the
[55:03.320 --> 55:06.720]  very least, even if you don't go into other things, you can start looking for interesting file names
[55:06.720 --> 55:14.760]  and folders there. Okay, but then it says we are looking for, we found something that was
[55:16.420 --> 55:22.260]  123, me, you, they, who, what, where, and so we want to match that up. So I can just search here
[55:22.260 --> 55:31.500]  and see my searching. It's hard using a Mac and then a Windows VM, the control keys are not
[55:31.500 --> 55:47.450]  matching up. There we go. Okay, so 123. And of course, it's not working. Let me see.
[55:53.580 --> 56:04.870]  Go to the top again. Oh, I see. I was giving you a sample. I was wondering why the heck is the 123
[56:04.870 --> 56:11.150]  not there. But really, we were trying to figure out what the C drive slash user slash Bob was
[56:11.150 --> 56:15.370]  going to equate to. And so I give the example which didn't exist. But essentially, what I'm
[56:15.370 --> 56:30.460]  looking for here is, if I'm trying to find my logs, I'm gonna open up a new tab. Okay, so if
[56:30.460 --> 56:36.620]  I'm looking for the C drive, it would look something like this. And then users. So I look
[56:36.620 --> 56:47.000]  down here for users, it's gonna be this one. Okay, and then Bob, go back here. It's gonna be
[56:47.000 --> 56:54.940]  this. Copy. Basically, so if we're looking in log files, we're looking for something like this,
[56:54.940 --> 56:59.300]  if we want to see things that were placed in C users, Bob's directory, right, this is
[56:59.300 --> 57:05.960]  essentially the path we're gonna be looking for in the log files. Okay, then the next step here
[57:05.960 --> 57:22.700]  is that we are going to navigate over to the CID.dat file. Okay, personal. And then this is
[57:22.700 --> 57:30.140]  our CID.dat file, I recommend opening up with a hex editor. This one's probably expired. I'm
[57:30.140 --> 57:32.580]  just going to use a different tool than you have here because I haven't installed
[57:35.320 --> 57:39.420]  HXD on this one. But if we look through here on the right hand side, this should be
[57:39.420 --> 57:44.660]  the ASCII. If I scroll down, we can look for things like, did I tell you exactly what to look
[57:44.660 --> 57:51.060]  for? Personal vault. So we start looking for that, I'm just gonna scroll slower.
[57:56.620 --> 58:04.240]  Okay, there it is, I see personal vault right here. Okay, and then we're looking for,
[58:04.240 --> 58:08.420]  look at the question again, we're scrolling down looking for the next folder name that we see.
[58:08.420 --> 58:18.890]  So I'm going to keep scrolling slower, scroll, scroll, scroll, nothing there. You can see why
[58:18.890 --> 58:27.120]  I might want to use strings here, because this is just a little bit messy. Okay, and now I see
[58:27.120 --> 58:32.000]  something else here, another folder called operations. Right, so there's another folder
[58:32.000 --> 58:36.280]  called operations. And you can keep parsing this. But again, if you use strings, I didn't want to
[58:36.280 --> 58:39.640]  give too many tools, but strings is going to make it a lot easier to parse that out.
[58:44.460 --> 58:52.380]  Okay, the next thing I have here is we're going to open up the CID.ini file. So I'll go back over
[58:52.380 --> 59:00.860]  here, CID.ini, I'll open it in notepad++. And we're going to go ahead and look for the
[59:01.940 --> 59:07.120]  local file path where things are stored. So I'm looking for the library, if I scroll over to the
[59:07.120 --> 59:15.060]  right here, whoops. We can see this is where things are stored for Bob. So anything that's
[59:15.060 --> 59:19.140]  synced with OneDrive, it's going to be stored in this location there, C users Bob OneDrive,
[59:19.140 --> 59:25.580]  which is what we'd expect. That's the default. Okay, now we want to run Registry Explorer.
[59:25.600 --> 59:34.900]  And we are going to load the registry hive. So I am going to go, hopefully, I remember where I put
[59:34.900 --> 59:51.930]  it. I think I put it in my downloads. Another tab here. Downloads. I did. Okay, so my installer
[59:51.930 --> 01:00:00.470]  software, just like you do, and I want to open up Registry Explorer. And you might get an error
[01:00:00.470 --> 01:00:24.350]  when you open this up. We'll see if I get it. Nope, I must have changed the settings. But if
[01:00:24.350 --> 01:00:29.830]  you do get an error about Windows protecting your PC, you just click on more, and then you run
[01:00:29.830 --> 01:00:36.370]  anyways, to try and bypass that. Okay, so the next step is that we want to load a registry hive.
[01:00:36.370 --> 01:00:45.190]  So I'm going to click on file, load hive. Once that's loaded, I'm going to go to our evidence.
[01:00:45.230 --> 01:00:49.970]  So I have extracted my evidence, I believe, in my downloads folder. And then I have my evidence
[01:00:49.970 --> 01:00:57.230]  here. Click on that, click on the C drive. Within the C drive, under the users, we go to Bob. And
[01:00:57.230 --> 01:01:03.550]  within Bob, we should see NTUser.dat. When I click on NTUser.dat, it's going to open up the
[01:01:03.550 --> 01:01:09.330]  registry hive. But if you don't know how the registry works, it's generally going to be
[01:01:09.330 --> 01:01:13.410]  dirty. Things are going to be in these log files until you reboot. That's why a lot of times when
[01:01:13.410 --> 01:01:18.110]  you make registry changes, they say reboot afterwards. So these log files are the transaction
[01:01:18.110 --> 01:01:22.510]  logs that are not written yet. And we want those to be written. So when we open this, we're going
[01:01:22.510 --> 01:01:28.310]  to get an error probably that says, hey, it's a dirty hive. If we get that, we should. We're going
[01:01:28.310 --> 01:01:35.170]  to click yes. And then it's going to say that we have to pick essentially which transaction
[01:01:35.170 --> 01:01:43.030]  logs we want to replay. So I'm going to click OK. I'm going to select both the .log1 and .log2
[01:01:43.030 --> 01:01:48.950]  file. I want both of these transaction logs to be replayed to the registry hive. So I click open.
[01:01:50.530 --> 01:01:51.370]  Click OK.
[01:01:54.290 --> 01:01:56.890]  OK. And it's going to say, where do you want this to be saved to?
[01:01:57.990 --> 01:02:01.510]  I'm just going to throw it back in my evidence folder. So I'm going to go back to downloads.
[01:02:04.290 --> 01:02:08.670]  C drive, users, Bob. And I'll just dump it right here. It doesn't really matter where.
[01:02:09.410 --> 01:02:14.910]  And it says, great, it's been updated. And the sequence numbers match. So that's a good thing.
[01:02:14.910 --> 01:02:20.150]  Do you want us to load the updated hive? Absolutely. Thank you. Yes. And it says,
[01:02:20.150 --> 01:02:24.430]  do you want to load the dirty hive? No. Why would I want the dirty one? So bye-bye.
[01:02:25.190 --> 01:02:30.950]  OK. And now we're able to parse this out. So now that we've loaded this up, what we want to do is
[01:02:30.950 --> 01:02:35.810]  I want you to go to software, Microsoft, OneDrive, accounts, and then personal. So I'm going to expand
[01:02:35.810 --> 01:02:43.390]  this. This is going to be a problem. Every time I have this in my VM, for some reason within the
[01:02:43.390 --> 01:02:49.050]  VM, it gets all messed up with the font here. Let me see if there's an easier way. Or I'll
[01:02:49.050 --> 01:02:57.250]  probably have to zoom in. So give me a second. And if I don't go blind before then. Microsoft.
[01:03:05.250 --> 01:03:24.810]  So hard to see this. OneDrive. And accounts. Personal. OK. Now let's see if I can...
[01:03:29.210 --> 01:03:36.450]  There we go. So I know it's small. For some reason, it gets all messed up in here. But
[01:03:36.450 --> 01:03:42.650]  let's see if I can go even a little bigger for you. OK. So I basically just browse to the
[01:03:42.650 --> 01:03:50.490]  registry location. And then... one second. Let me scroll down on the instructions so I make sure I give you the right steps.
[01:03:51.270 --> 01:03:57.710]  OK. And so some of the things that you want to answer here are... oh, no.
[01:03:59.630 --> 01:04:03.190]  Hang on. Sorry. Let's go back. Increase this.
[01:04:05.350 --> 01:04:10.070]  Well, I may not show a bunch of these demos with the registry if this is going to happen every time.
[01:04:10.070 --> 01:04:19.050]  But we can see the user email in here. So we see that it's bob.mclee.re.gmail.com.
[01:04:19.110 --> 01:04:25.470]  We can look at the CID. So we can see the CID of the user down here. We can see the default file
[01:04:25.470 --> 01:04:32.110]  store, which is C, Users, Bob, OneDrive. We can see the last sign-in time. Where is it?
[01:04:32.590 --> 01:04:42.890]  Last sign-in time, 15.87.12.89.85. We do need to convert this from Unix Epoch time to standard time.
[01:04:42.890 --> 01:04:49.310]  So you can do that by just copying and pasting this in Google or looking for a Unix Epoch converter.
[01:04:49.310 --> 01:04:53.090]  And you can just sort that out and it'll give you the exact time. But almost everything we're going
[01:04:53.090 --> 01:04:59.230]  to look at today, almost everything, is in Unix Epoch time. We can see the first time that the
[01:04:59.230 --> 01:05:06.130]  device was synced. So if we go to client first sign-in time down here, this tells me when they
[01:05:06.130 --> 01:05:11.030]  first started syncing with OneDrive. So we can get a lot of useful information just by analyzing that.
[01:05:12.230 --> 01:05:15.350]  Hopefully, there's no more registry things. Let me see if there's anything else because that's
[01:05:15.350 --> 01:05:21.350]  going to be a pain to do. Okay, and then we can also look at... there's one more that I'll just
[01:05:21.350 --> 01:05:26.750]  show you. The registry piece here is that, aside from personal, what other directories are shared
[01:05:26.750 --> 01:05:31.910]  or synced with this user that they don't own? I'm going to get to it first and then I'll zoom in
[01:05:31.910 --> 01:05:42.430]  here for you. Actually, let's see if I can tell the slide here. So we want to go to Software, Sync
[01:05:42.430 --> 01:05:59.640]  Engines, Providers. Okay, Software, Sync Engines, Providers, OneDrive. And so just looking here under
[01:05:59.640 --> 01:06:04.000]  this OneDrive directory, we can see that Finance, Operations, and Personal. So I said what else
[01:06:04.000 --> 01:06:09.540]  besides personal? So there's a Finance and Operations directory that were shared with this
[01:06:09.540 --> 01:06:14.360]  user. So they don't own that. However, they have access to it. And therefore, we may be able to get
[01:06:14.360 --> 01:06:25.560]  access to those files as well. And I think that wraps up that lab. There's one more question.
[01:06:25.680 --> 01:06:32.180]  Clicking into the personal, another shared folder keys, registry hives, what data value do you see
[01:06:32.180 --> 01:06:39.420]  in the CIDs? So I will show you that one again. So if I do click on, let's say personal, because we
[01:06:39.420 --> 01:06:47.860]  know personal belongs to this user. If I go up here, try and get this down, we can see the CID
[01:06:47.860 --> 01:06:55.160]  of the user that owns personal here starts with 87 and ends in B0, Bravo 0. Now, if I go click on
[01:06:55.160 --> 01:07:03.140]  operations, let's go back up here and see that the CID is different. So that CID, basically, this is
[01:07:03.300 --> 01:07:10.060]  a folder that is owned by someone else. Cool. That wraps up the walkthrough for that lab.
[01:07:10.060 --> 01:07:13.920]  So let's move on now to Google Drive. Google Drive behaves a little bit differently. Microsoft
[01:07:13.920 --> 01:07:18.620]  obviously is baked in, so they have the ability to use a lot of the registry as if it was a database.
[01:07:19.180 --> 01:07:23.280]  I guess it kind of is a database, but they have access to that, right? Where some of these other
[01:07:23.280 --> 01:07:30.200]  solutions have to build this to make it portable. So with Google Drive, you've got... I keep calling
[01:07:30.200 --> 01:07:34.960]  it Google Drive, but the personal version is really called Backup and Sync. But I'm just going to
[01:07:34.960 --> 01:07:38.880]  keep calling it Google Drive. I'm old school like that. If you're talking about the business version,
[01:07:38.880 --> 01:07:45.500]  it's called Drive File Stream. It's part of the G Suite offerings. They're backed by SQLite
[01:07:45.500 --> 01:07:49.920]  databases rather than just text files and registry keys like we saw with OneDrive.
[01:07:50.480 --> 01:07:55.860]  So the Drive File Stream, it creates... it's a little bit different. It's similar to Citrix
[01:07:55.860 --> 01:08:01.020]  share file in that it creates a virtual FAT32 volume and mounts it. So you're going to actually
[01:08:01.020 --> 01:08:08.240]  have like a G Drive sitting there that looks like a mounted file or file system. Sync to Google
[01:08:08.240 --> 01:08:12.280]  formatted files will create a shell. So what's interesting is that even if they're syncing,
[01:08:12.280 --> 01:08:18.160]  you don't actually get the Google file locally. So if you create a Google Sheets or a Google
[01:08:18.160 --> 01:08:25.080]  document within Google Drive web browser, it syncs. It's supposed to be syncing locally to
[01:08:25.080 --> 01:08:30.400]  your file system. What happens is that it creates a shell file and that shell file will have,
[01:08:30.400 --> 01:08:35.560]  if you open it up in a text editor or a hex editor, you'll see the URL, the document ID,
[01:08:35.560 --> 01:08:39.620]  and the email address of that user. So it's kind of interesting. It's not the actual file,
[01:08:39.620 --> 01:08:46.020]  it just redirects you to that. Some interesting locations and databases and files that you may
[01:08:46.020 --> 01:08:52.860]  find when you are examining the system is that you've got the sync underscore config DB file.
[01:08:53.280 --> 01:08:57.300]  It'll give you the user's info like their preferences, initial application sync time,
[01:08:57.300 --> 01:09:03.040]  and stuff like that. The cloud underscore graph database will give you metadata for both local,
[01:09:03.040 --> 01:09:11.640]  cloud, and shared files and folders with that user. The sync underscore log dot log file will
[01:09:11.640 --> 01:09:19.680]  give you added, deleted, modified, renamed files for that user. The snapshot dot DB database will
[01:09:19.680 --> 01:09:25.620]  give you local file metadata, so things that are just locally. And if the user is using G Suite,
[01:09:25.620 --> 01:09:32.900]  the content underscore cache will give you local file caches. I think this also worked partially
[01:09:32.900 --> 01:09:39.980]  with Google Drive personal version, but there was slight differences there. Also, we'll see
[01:09:39.980 --> 01:09:46.600]  the metadata underscore SQLite DB. That will give offline files, cloud files, deleted files,
[01:09:46.600 --> 01:09:52.840]  and other metadata. So if we dive a little deeper and look at the sync config database,
[01:09:53.480 --> 01:10:00.660]  which is located inside of AppData local Google Drive, it's got a bunch of different tables,
[01:10:00.660 --> 01:10:04.920]  but the one of interest is the data table. And within the data table, we're going to see
[01:10:05.460 --> 01:10:09.140]  the highest application version, so we can see what version they're using, see if there's any
[01:10:09.140 --> 01:10:15.040]  known vulnerabilities or exploits. With the local sync route path, you get the path of the
[01:10:15.040 --> 01:10:20.660]  local file source or where those are sitting locally on their file system. We'll also get the
[01:10:20.660 --> 01:10:26.280]  user's Gmail account. So here's a screenshot of what that'll look like. We pivot over into the
[01:10:26.280 --> 01:10:31.460]  data table, and that's where we can see those different rows with interesting information.
[01:10:31.460 --> 01:10:40.500]  The Cloud Graph database, the main table that we're interested in is the Cloud Graph
[01:10:40.500 --> 01:10:47.160]  entry table. And that's going to give us stuff like every document in their Google Drive with
[01:10:47.160 --> 01:10:54.560]  the unique ID, the file name or folder of the object that's synced. The last time it was modified
[01:10:54.560 --> 01:11:01.120]  in Unix Epoch, I did not test on what triggers that modify time. So I do want to just warn you
[01:11:01.120 --> 01:11:06.000]  if you're an incident responder or forensics, you may want to do some testing to verify that
[01:11:06.580 --> 01:11:13.420]  is it a file open? Is it a edit? Is it a sync? What will trigger that modify time? I didn't go
[01:11:13.420 --> 01:11:19.500]  that far into detail. The ACL role will tell you whether or not the owner, so the person you're
[01:11:19.500 --> 01:11:25.040]  looking at on their system, if they own the file or if it's shared with them. We also, what's
[01:11:25.040 --> 01:11:30.740]  interesting is with Google Drive is that you'll see a doc type column, and the doc type column
[01:11:30.740 --> 01:11:36.020]  will give you what format the file is. And so it's a little bit limited, but it's interesting.
[01:11:36.020 --> 01:11:40.200]  If you see a zero, it means that the object you're looking at is a folder or a directory
[01:11:40.600 --> 01:11:47.740]  or equivalent to a directory. If you see a one, you'll see that it's a traditional file, like a
[01:11:47.740 --> 01:11:53.860]  Word doc, a PDF, something like that, a zip file. If you see two through 13, those are reserved for
[01:11:53.860 --> 01:11:57.820]  Google Files, but they go a little bit more detail since they own those files, obviously.
[01:11:57.820 --> 01:12:02.080]  If it's three, it's a Google formatted presentation. Sorry, a two is a Google formatted
[01:12:02.080 --> 01:12:09.120]  presentation. A four is a Google formatted spreadsheet. A six is a Google formatted document.
[01:12:09.500 --> 01:12:14.860]  Now, there's a removed column, and I couldn't get that to trigger. So when I deleted things,
[01:12:14.860 --> 01:12:19.620]  I moved to the trash, nothing really changed there. So I'm not sure what that's reserved for
[01:12:19.620 --> 01:12:24.180]  or why Google has that. We also get something that's really interesting is the file hash.
[01:12:24.180 --> 01:12:30.760]  So we get the file hash of the object, whether it's a Google spreadsheet, or it's a PDF,
[01:12:30.760 --> 01:12:37.200]  we're going to get the MD5 hash of that object. If we open it up in the database and DB browser
[01:12:37.200 --> 01:12:43.160]  for SQLite, we're going to be able to see things there, like I just talked about. Now, that doc ID
[01:12:43.160 --> 01:12:49.400]  is unique across Google Drive. And so you're going to be able to identify that if you didn't have the
[01:12:49.400 --> 01:12:53.280]  hash, you could find that in other databases as well. But we can even see there the different
[01:12:53.280 --> 01:13:01.760]  file names of all those files that are in the Google Drive. The sync underscore log dot log
[01:13:01.760 --> 01:13:07.020]  file, this one was a little bit hard to read, and we'll take a look at it. But it's, in my opinion,
[01:13:07.160 --> 01:13:12.720]  a little better if you use some type of parsing tool like bash, maybe use grep or awk, or you have
[01:13:12.880 --> 01:13:18.180]  a sim, you could even do a free tier of Sumo logic to parse this out. There are tons of different
[01:13:18.180 --> 01:13:23.040]  actions that are interesting. Everything is started with action dot. So you could do action
[01:13:23.040 --> 01:13:27.700]  dot wildcard, or if there's specific actions you were trying to narrow down to see, you know,
[01:13:27.700 --> 01:13:32.540]  is this user using Google Drive? Are they deleting files? What's going on? Whatever action you're
[01:13:32.540 --> 01:13:36.860]  interested in, you can parse for those, you can grep them, you can search for them, etc.
[01:13:38.320 --> 01:13:42.020]  And then not only that, but you can also see the direction that things happen. So
[01:13:42.020 --> 01:13:46.800]  was the action to delete, was that local? Or did they delete it within the cloud?
[01:13:47.320 --> 01:13:51.960]  Did they add a new file? Was that added on the local file system? Or did they add it by going
[01:13:51.960 --> 01:13:57.780]  to drive.google.com? So looking in that log file, you can actually look at the direction dot,
[01:13:57.780 --> 01:14:02.960]  it'll tell you if it was initiated within the cloud or locally. You also see shared equals
[01:14:02.960 --> 01:14:07.060]  and then true or false. And that tells you if it's if they're sharing enabled or not.
[01:14:07.060 --> 01:14:13.600]  And then another way that I found useful for parsing for file names is I grep for name equals
[01:14:13.600 --> 01:14:17.940]  you. And then you'll look, you'll be able to find all the different file names. And you could
[01:14:17.940 --> 01:14:22.840]  even then grep for certain things like pass or password, or username, whatever your use case
[01:14:22.840 --> 01:14:29.480]  is there. So just by for an example, I uploaded that file to Sumo Logic, and I did a log reduce
[01:14:29.480 --> 01:14:34.580]  so that you could see, it gives me a count. So I'm able to start to see, well, how many files
[01:14:34.580 --> 01:14:41.920]  were downloaded. And we could see there that 22 log files, or I guess entries in the log file
[01:14:41.920 --> 01:14:46.020]  match that telling me that there was a download action. So something happened from the cloud,
[01:14:46.020 --> 01:14:52.920]  and then it was synced locally. If we look at that snapshot.db database, that'll give us
[01:14:53.660 --> 01:14:58.520]  similar things we saw before. But the added value that we see here is that whether or not
[01:14:59.080 --> 01:15:03.240]  the file is shared with other users. And that's gonna be one of the new fields that we'll see
[01:15:03.240 --> 01:15:09.680]  here are the columns. Something that you may have to look at for both snapshot.db and cloud
[01:15:09.680 --> 01:15:16.020]  underscore graph.db is that in the cloud relations table, you'll be able to map out where things are
[01:15:16.020 --> 01:15:21.140]  located. So the database doesn't give you a clear understanding of where things are positioned.
[01:15:21.140 --> 01:15:26.760]  Do we have files and folders? Or do we have... what are those folders called? So you
[01:15:26.760 --> 01:15:32.180]  might have to look in both those databases in the cloud relations table. And within the cloud
[01:15:32.180 --> 01:15:36.560]  relations table, that gives you almost a key of where things are stored. And they're going to use
[01:15:36.560 --> 01:15:43.440]  those doc IDs and the parent doc IDs. And so you could see that on the right-hand side there,
[01:15:43.440 --> 01:15:49.740]  the one that starts with 1NGR blah, blah, blah, that's in the root. But then there's multiple
[01:15:49.740 --> 01:15:56.440]  files there. The row 2, 3, 4, 5, those are files that are sitting within that root folder.
[01:15:57.820 --> 01:16:02.800]  So this is essentially how you kind of map that back is if you're looking at, let's say,
[01:16:02.800 --> 01:16:07.320]  the cloud entry table, and you want to know, well, I see there's an object called finance,
[01:16:07.320 --> 01:16:11.020]  and I see a bunch of other files, but which files are sitting in the finance directory?
[01:16:11.200 --> 01:16:16.060]  Well, you would open up that cloud relations table, and then you could map those out and see,
[01:16:16.060 --> 01:16:23.420]  oh, okay, I get it. It's sitting in this directory. Okay, so this brings us up to a lab.
[01:16:23.840 --> 01:16:29.220]  I think what I'm going to go ahead and do is dive into some of the other ones since we've got about
[01:16:29.220 --> 01:16:33.220]  40 minutes left. So I'm going to keep going with the slides, and then at the very end,
[01:16:33.220 --> 01:16:36.320]  I'll kind of hang around, and we can walk through some of those labs together.
[01:16:36.940 --> 01:16:42.780]  So as I mentioned, Dropbox is a bit different there. Dropbox uses encrypted SQLite databases,
[01:16:43.420 --> 01:16:49.020]  SQLite encrypted extension, SAE, since 2011. So very early on, they've been encrypting those
[01:16:49.020 --> 01:16:54.400]  SQLite databases, so we don't have as much visibility into them. Now, the bright side,
[01:16:54.400 --> 01:16:59.200]  though, is that the key for the encrypted database is stored in the registry. However,
[01:16:59.200 --> 01:17:05.360]  it's encrypted with Windows Data Protection API, or DPAPI, as I'll call it. You can either brute
[01:17:05.360 --> 01:17:11.860]  force the key, but good luck with that, or you can extract the DPAPI keys from memory.
[01:17:12.000 --> 01:17:16.900]  I was not able to do this. I tried this in the lab a couple of times. It didn't work. However,
[01:17:16.900 --> 01:17:24.660]  Francisco has a toolkit called DEC WinDBx Toolkit. I'll try and get you... hopefully,
[01:17:24.660 --> 01:17:29.040]  I've got the GitHub link on the next slide or two, but there's a toolkit. There's both
[01:17:29.560 --> 01:17:35.780]  Python, PowerShell, and executables that will pull that from memory. The version of Windows 10
[01:17:35.780 --> 01:17:39.900]  I had in my lab environment, it would not work. So I don't know if that's because it was
[01:17:40.240 --> 01:17:45.220]  a lab environment, if it was the version of Windows. I didn't get it to work. However,
[01:17:46.280 --> 01:17:52.080]  there's plenty of talks out there that talk a little bit more about this. So you can go ahead
[01:17:52.080 --> 01:17:59.560]  and Google Dropbox DPAPI keys, and there's some great talks to talk about this and how they did
[01:17:59.560 --> 01:18:04.280]  their research. The one thing we will be able to see, though, even though the databases are
[01:18:04.280 --> 01:18:09.240]  encrypted, is that we'll see the .dropbox.cache, and that contains miscellaneous temporary cache
[01:18:09.240 --> 01:18:14.300]  files. So sometimes, even if there's files that are deleted by other users, we'll be able to see
[01:18:14.300 --> 01:18:22.060]  those deleted files within that cache location. Also, with a lot of these different Dropbox,
[01:18:22.700 --> 01:18:30.460]  is that when you delete files within the cloud, what happens is that if you're even on the web
[01:18:30.460 --> 01:18:36.240]  interface or on another system, when you delete that file, it syncs that delete. But unlike the
[01:18:36.240 --> 01:18:41.900]  cloud versions or the web interfaces where there's that temporary trash location that may be purged
[01:18:41.900 --> 01:18:49.140]  automatically between 30 or 120 days, when you delete that on the local file system, what
[01:18:49.140 --> 01:18:54.240]  generally happens is that file goes into the trash can. So often, if you go into the trash can
[01:18:54.240 --> 01:18:57.840]  on the local file, you'll end up finding things that were deleted from the cloud, and those do
[01:18:57.840 --> 01:19:02.480]  not get deleted automatically. It's going to take the user running CCleaner or right-clicking on
[01:19:02.480 --> 01:19:09.820]  their trash can or recycle bin and emptying those. So the other piece here, and this is
[01:19:10.340 --> 01:19:15.680]  the talk that I got some of this information from, was Nicholas and Florian. They did a talk called
[01:19:15.680 --> 01:19:22.860]  A Critical Analysis of Dropbox Software Security. It was at hack.lu in 2012,
[01:19:23.440 --> 01:19:27.020]  and they posted about it in their blog, and they talk about where these keys are located
[01:19:27.020 --> 01:19:32.180]  and how they extracted this out. But these are the file locations where those keys are stored.
[01:19:33.560 --> 01:19:39.400]  Okay, and I did post here, if you want to check out the dbx decryption toolkit, it did not work
[01:19:39.400 --> 01:19:43.840]  for me, but if you get it working, let me know. LinkedIn, Twitter, I'd love to hear how you got it
[01:19:43.840 --> 01:19:49.840]  working. So they have that toolkit located there, and you've got PS1 files, you've got Python files
[01:19:50.480 --> 01:19:56.860]  that essentially will extract that out. Okay, and then I just list out here a bunch of different
[01:19:56.860 --> 01:20:00.520]  directories and paths, but most of these we don't get a lot of information from because
[01:20:00.520 --> 01:20:08.260]  the .dbx and the .db databases, they are encrypted. So even the ones like home.db,
[01:20:08.260 --> 01:20:12.880]  where it looks like it might not be encrypted, I could not get any useful information out of
[01:20:12.880 --> 01:20:22.780]  those locations. Okay, with Box. So Box is very similar to Google Drive. We have a bunch of
[01:20:22.780 --> 01:20:29.020]  different files and locations, and then log files, as well as database files. The other cool thing,
[01:20:29.020 --> 01:20:35.480]  probably my favorite location within Box, is that there's the appdata local box cache directory,
[01:20:35.480 --> 01:20:42.000]  and that stores complete files that were opened both locally and are possibly even cached.
[01:20:42.000 --> 01:20:45.920]  So we will be able to see not the file name, but we'll actually be able to recover
[01:20:46.540 --> 01:20:49.540]  files, whether or not they've been deleted from Box.
[01:20:51.140 --> 01:20:57.240]  Okay, we also have some log files, which give us detailed activity of both the file activity,
[01:20:57.240 --> 01:21:01.920]  but then there's also a Box UI log file that tells us when the user logged in,
[01:21:01.920 --> 01:21:05.500]  what kind of network connection they had, if they lost internet connectivity.
[01:21:05.500 --> 01:21:10.520]  I mean, it's almost like stalking the user with the UI application. So there's a lot of
[01:21:10.520 --> 01:21:16.800]  detailed information there. We also have the boxstream.log, and that's going to give activity
[01:21:16.800 --> 01:21:23.480]  around metadata, paths, log locations, log files, free space on the file system, all kinds of juicy
[01:21:23.480 --> 01:21:29.880]  information there. And then we also have the syncrootfolder.txt, it just tells you where the
[01:21:30.540 --> 01:21:35.040]  default file store is located. And then there's a couple databases that will give you local files,
[01:21:35.040 --> 01:21:39.680]  cloud files, cached files, usernames, passwords, or not passwords, email addresses, and that kind
[01:21:39.680 --> 01:21:46.640]  of stuff. So if we looked at the boxstream.log, there's keywords that you might want to parse
[01:21:46.640 --> 01:21:53.560]  out with grep or awk, things like add file, add folder, on delete file, on delete folder, open,
[01:21:53.560 --> 01:21:57.060]  so you can get those different activities, and it'll tell you which files. So there on the screen,
[01:21:57.060 --> 01:22:02.060]  we can see a file was added, the date and time, the file was called the Mike Wiley 2020 strategic
[01:22:02.060 --> 01:22:10.620]  plan.rtf. Then also, we could see other things here about, you know, where things are cached,
[01:22:11.360 --> 01:22:16.960]  where the database is located, mount points, stuff like that. So as I mentioned, my favorite
[01:22:16.960 --> 01:22:22.080]  one is that cache directory. If you look at the cache directory, you'll see either what's a grid
[01:22:22.080 --> 01:22:26.980]  or a hash for the file, but it's not the actual file name. The cool thing, though, is that if you
[01:22:26.980 --> 01:22:32.820]  open up any of those files in a hex editor, you can look at the magic byte or magic bit in the
[01:22:32.820 --> 01:22:38.920]  beginning, and we can see it's an rtf file. So then we could just rename that file to example.rtf,
[01:22:38.920 --> 01:22:47.080]  and then we can open it up in a respective software application. The box UI, this is just a
[01:22:47.080 --> 01:22:52.420]  sample of what you might see. You could see when the user logged out, when they logged back in,
[01:22:52.420 --> 01:22:56.960]  hard drive space, network connectivity, all kinds of stuff built in there.
[01:22:58.220 --> 01:23:04.520]  And then within that box dash, and then the date, or version number, sorry, we're going to see those
[01:23:04.520 --> 01:23:10.660]  different files like test.txt, content created at, you know, different times, again, obviously,
[01:23:10.660 --> 01:23:18.880]  in Unix epoch time. Okay, and then we'll see the different box databases with interesting things,
[01:23:18.880 --> 01:23:24.080]  very similar to Dropbox, but this time we get SHA hashes, we can see when things were created,
[01:23:24.080 --> 01:23:28.000]  they were updated, again, take that with a grain of salt, I don't know which actions trigger those
[01:23:28.000 --> 01:23:32.540]  updated, if it's local, if it's cloud, if it's a combination, so you just don't want to rely on
[01:23:32.540 --> 01:23:38.400]  those dates unless you're sure. So here again, you can see those different, the local IDs,
[01:23:38.400 --> 01:23:44.280]  native item type, whether or not it's a file or folder, we can see the parent item ID, so we can
[01:23:44.280 --> 01:23:50.360]  map out what's sitting in what location, file names, inode ID, that inode ID is going to become
[01:23:50.360 --> 01:23:58.980]  important later for mapping things out to file names. Streams fs.db, there we get things like
[01:23:58.980 --> 01:24:05.900]  the file name of the item that's in that cache, so we could actually now, if we open streams fs.db,
[01:24:05.900 --> 01:24:10.260]  we can find out all those random file names that were sitting in that cache location,
[01:24:10.260 --> 01:24:13.760]  we can actually see the true file name to see if that's relevant or not.
[01:24:16.220 --> 01:24:20.740]  Okay, and then if we want to map that out, so if we want to see here, we've got the,
[01:24:20.740 --> 01:24:26.440]  that, that streams fs.db, and we go in the cache file table, we don't see the file name,
[01:24:26.440 --> 01:24:30.520]  but we do get to see that inode ID. So we're going to have to take that inode ID,
[01:24:30.520 --> 01:24:36.420]  open up the syncdb database. And from there, we can map the inode ID and we can see, oh, okay,
[01:24:36.420 --> 01:24:43.220]  so this A1, B4, blah, blah, blah, glitter hash, that is the business plan document that we want
[01:24:43.220 --> 01:24:50.340]  to recreate. And if we open that up again, in a hex editor, or even a text pad, or notepad,
[01:24:50.340 --> 01:24:56.580]  we can see that the, we've got the magic byte of PK, which tells us it's a .x. So we can now
[01:24:56.580 --> 01:25:03.260]  rename that file business plan. .x, and we can then open it up in Microsoft Word. So I went ahead
[01:25:03.260 --> 01:25:07.280]  and did that, I renamed the file, give it the proper file extension, opened it up this time
[01:25:07.280 --> 01:25:14.220]  in WordPad, and we can actually see that business plan for startup business. And that file had been
[01:25:14.220 --> 01:25:20.120]  deleted from, from Box. So it was no longer sitting in Box, but the cache was still sitting there.
[01:25:22.220 --> 01:25:27.920]  Okay, just map out some more of those things and what those locations are for. So again,
[01:25:27.920 --> 01:25:31.400]  I'm going to keep going, and then we'll come back to the lab afterwards, rather than one by one,
[01:25:31.400 --> 01:25:35.900]  because I do want to make sure in the next 25 minutes or so that we do hit the rest of the
[01:25:35.900 --> 01:25:42.460]  content here. And I've got about 20-ish slides left. So with Citrix ShareFile, very similar to
[01:25:42.460 --> 01:25:48.140]  Google Drive and Box. The interesting thing about this is that the application, to download it,
[01:25:48.140 --> 01:25:52.680]  you had to go through that paywall, or at least a trial registration for businesses only.
[01:25:52.680 --> 01:25:56.300]  However, I was able to use a Gmail account and they let me just get in, but there's no free
[01:25:56.300 --> 01:26:03.980]  version. Similar to Google File Stream, once you install ShareFile, it creates a virtual volume
[01:26:03.980 --> 01:26:10.700]  in FAT32. It mounts as the S drive. All their databases are unencrypted in SQLite format.
[01:26:11.220 --> 01:26:17.980]  So they have a list of all the remote files and folders in the remote DB.
[01:26:18.700 --> 01:26:21.540]  If you want to see all the files that, and I like how they break it out,
[01:26:21.540 --> 01:26:25.000]  if you want to look at all local files that are sitting there in the file system,
[01:26:25.000 --> 01:26:28.800]  it's localitem.db. So you've got two different databases, whether it's local,
[01:26:28.800 --> 01:26:32.580]  or they're sitting in the cloud. And again, these are things that maybe have never been synced
[01:26:33.140 --> 01:26:36.740]  with the end user system, but you can find out what they have access to.
[01:26:37.340 --> 01:26:42.040]  And then there's a Citrix files underscore, and then a date.log. And that gives a detailed
[01:26:42.040 --> 01:26:45.780]  activity of what things have synced, what files they have access to, and stuff like that.
[01:26:45.780 --> 01:26:50.280]  And then similar to Box, there's a part cache directory, where you can gain access to all
[01:26:50.280 --> 01:26:57.120]  those cached files. Okay, and don't want to go too much into, again, all the different columns
[01:26:57.120 --> 01:27:01.900]  and folders, but it's very similar. We get a lot of unique IDs, and we can map out where things
[01:27:01.900 --> 01:27:08.840]  are sitting, what parent directory they're in, and we even have a unique ID. Similar to Box and
[01:27:08.840 --> 01:27:14.020]  Google Drive, you have the hash as well, so you get that fingerprint of the file.
[01:27:14.800 --> 01:27:18.300]  All right, but they actually have in these remote and the local item database,
[01:27:18.300 --> 01:27:21.520]  they have a lot of columns in there, as far as permissions and stuff.
[01:27:21.520 --> 01:27:25.360]  I didn't have time to map out what all those permissions meant, whether they were shared,
[01:27:25.360 --> 01:27:29.320]  read, write, that kind of stuff. But you get a plethora of information, including even the file
[01:27:29.320 --> 01:27:36.900]  size of the different files within Citrix ShareFile. Local items, very similar. You get the
[01:27:36.900 --> 01:27:41.040]  hashes, URLs this time, though. What I thought was interesting with this one, though, is that there
[01:27:41.040 --> 01:27:47.420]  was a URL within the local item database. It gave a, what I believe to be an instance ID,
[01:27:48.180 --> 01:27:54.420]  .sf-api.com, and then some directories and an item ID. I tried to visit those with a browser,
[01:27:54.420 --> 01:28:00.200]  and I got nothing. But I do have a feeling, though, that you're able to work with their API,
[01:28:00.200 --> 01:28:07.040]  you could probably then, by using this, gain access to some of their files using that API.
[01:28:08.580 --> 01:28:12.600]  Okay, and then the directory entry, this really just gives us a parent structure or a structure
[01:28:12.600 --> 01:28:18.500]  of where things are. If you look at that Citrix ShareFile underscore date, and then the date.log,
[01:28:18.500 --> 01:28:22.480]  these are some things that I've identified as words you might want to parse out for using grep
[01:28:22.480 --> 01:28:30.400]  or awk. Upload file, file system notifier, local, win, FSP, delete item, download, upload,
[01:28:30.400 --> 01:28:34.340]  read callback, those are all interesting actions when I did those in my lab environment
[01:28:34.340 --> 01:28:40.120]  that triggered these log files. So similar to Box, where they had that cache directory,
[01:28:40.120 --> 01:28:46.640]  if we go into the part cache, you've got these long gwids or hashes, and within those directories,
[01:28:46.640 --> 01:28:52.420]  you're then going to see 0.part. Almost identical to Box, though, if you open that with a
[01:28:52.420 --> 01:28:58.000]  hex editor, you're able to see it's an RTF file or a .docx file, sorry. And you just rename the
[01:28:58.000 --> 01:29:03.360]  file extension. So 0.docx. And I was able to recover the entire document that way as well.
[01:29:04.160 --> 01:29:10.460]  So a couple more things before we dive back into a lab or two. Some other areas that you might be
[01:29:10.460 --> 01:29:15.320]  interested in, okay, well, maybe they didn't download the application. So I'm looking at a
[01:29:15.320 --> 01:29:19.960]  system that I've either compromised as a offensive security professional or from defensive, I am
[01:29:19.960 --> 01:29:25.880]  analyzing this Windows system and trying to figure out what they did or maybe exfiltrated data.
[01:29:26.500 --> 01:29:32.340]  Well, sometimes you can use, obviously, these cloud file storing solutions without installing
[01:29:32.340 --> 01:29:37.400]  the application. And so if so, there may be evidence of that happening if you go ahead and
[01:29:37.400 --> 01:29:41.640]  look in their history, their browsing history. And if we look at their browser history, we can
[01:29:41.640 --> 01:29:47.820]  find things like for Google Docs or Google Drive, you're going to see docs.google.com. And we could
[01:29:47.820 --> 01:29:53.340]  see whether or not they were viewing or editing spreadsheets, presentations, documents, what type
[01:29:53.340 --> 01:29:58.920]  of file they were editing. So we don't get insight to which file, the name of the file, but we will
[01:29:58.920 --> 01:30:06.160]  be able to see if they view or edited any types of files in Google Drive. If they go to the root
[01:30:06.160 --> 01:30:11.340]  of Google Drive, it's different. So if they're actually editing, it's docs.google.com. If they're
[01:30:11.340 --> 01:30:18.000]  just viewing their drive and the folders in them without viewing a specific object, it's drive.google.com
[01:30:18.000 --> 01:30:24.540]  slash drive slash my drive. You can also, if they browse to any subdirectories that are in their
[01:30:24.540 --> 01:30:30.860]  Google Drive, so the finance or personal folder, their browsing history, you'll see drive.google.com
[01:30:30.860 --> 01:30:36.440]  slash drive dash folders. And then if they want to, if they delete something and they look in
[01:30:36.440 --> 01:30:41.040]  their trash, you're going to see drive.google.com slash drive slash trash, which meant they have
[01:30:41.040 --> 01:30:47.140]  visited their trash can recently. Similarly, if they look at the root directory in Box, you're going to see
[01:30:47.140 --> 01:30:53.000]  app.box.com slash folder and the root directory. So once they log in and they just look at all their
[01:30:53.000 --> 01:31:01.000]  files and folders, it's zero. Now, if they view in personal version, though, of Box, I'm sorry, of
[01:31:01.000 --> 01:31:06.420]  OneDrive, if they're in OneDrive, you're going to see onedrive.live.com slash question mark ID
[01:31:06.420 --> 01:31:10.600]  equals root, which means they're in the root. And then you're also going to be able to identify
[01:31:10.600 --> 01:31:15.020]  their CID. So if they say, no, it wasn't me that logged in, someone else was on my machine,
[01:31:15.020 --> 01:31:19.880]  you can actually map that CID back to see how much activity they're doing on the web versus
[01:31:19.880 --> 01:31:25.340]  maybe when you looked at the registry keys and you saw that they had synced OneDrive locally,
[01:31:25.340 --> 01:31:30.300]  that's how you can see that that same user was logged in the browser doing stuff in OneDrive
[01:31:30.300 --> 01:31:36.480]  as was installed on the application. Dropbox will just give you the root, you'll see slash home.
[01:31:36.480 --> 01:31:40.560]  If they go to any other documents or view it with their emulator of like,
[01:31:40.560 --> 01:31:43.960]  okay, you can view a Word doc or a PDF or something like that, you're going to see
[01:31:43.960 --> 01:31:50.200]  dropbox.com slash SCL. And that tells you that they have viewed things within the web browser.
[01:31:51.020 --> 01:31:54.720]  And if they want to go view or they view any contents and other folders, you're just going
[01:31:54.720 --> 01:31:59.440]  to see dropbox.com slash home. And then you will see the folder name. So you actually get to see
[01:31:59.440 --> 01:32:03.600]  finance operations or whatever the folder name is that they were looking at.
[01:32:04.640 --> 01:32:07.900]  So the data that I gave you for the lab environment that we're going to go back to
[01:32:07.900 --> 01:32:14.160]  in just a second here, I've got two slides left. The way I extracted that, and it was a new way of
[01:32:14.160 --> 01:32:18.620]  doing it for this lab, since we're all virtual, and I didn't want to hand out large VMs. I used
[01:32:18.740 --> 01:32:24.540]  a tool called CAPE. And I built a target, which basically says, what do you want to extract?
[01:32:25.280 --> 01:32:29.280]  Now, I copied some of the stuff that was in the original target that I looked at where they had
[01:32:29.280 --> 01:32:36.100]  some things for OneDrive, and I mimicked that. And I built it out for Dropbox, OneDrive, Box,
[01:32:36.660 --> 01:32:40.140]  Citrix share file, and I can't remember which one I missed there, Google Drive.
[01:32:40.140 --> 01:32:45.220]  But all five different ones that we've talked about today, the target that I built there,
[01:32:45.220 --> 01:32:49.500]  I built that out to extract that. And it does so within about 10 seconds.
[01:32:49.660 --> 01:32:54.560]  So if you run CAPE from the command line, you can see, I lied, it was 12 seconds. It's going to
[01:32:54.560 --> 01:33:01.100]  pull up all the registry keys, and all those cached files, and anything else that is identified
[01:33:01.100 --> 01:33:05.280]  with one of those cloud file storage solutions. Now, if they have tons of data, it might be a
[01:33:05.280 --> 01:33:10.000]  little bit longer. But the point is, within 12 seconds, whether I'm on an offensive or defensive
[01:33:10.700 --> 01:33:16.680]  engagement, I'm able to exfiltrate, or not exfiltrate, but grab all of that useful information
[01:33:16.680 --> 01:33:20.520]  that shows me any type of evidence that they are using those files, and possibly even the
[01:33:20.520 --> 01:33:26.460]  cached files that I can recreate. So that brings us into the lab. I think the second lab that we
[01:33:26.460 --> 01:33:31.560]  skipped over is going to go ahead and be Google Drive. If you've got to take off, I know it's,
[01:33:31.560 --> 01:33:35.280]  you know, I'm here in Los Angeles, it's already 5pm. But if you're on the East Coast,
[01:33:35.280 --> 01:33:38.640]  it's probably a bit later, or maybe somewhere else around the world.
[01:33:38.700 --> 01:33:43.680]  I encourage you to connect with me on Twitter, and LinkedIn, that's the best way to get a hold of me,
[01:33:43.680 --> 01:33:49.160]  and chat in the future. For those of you who are staying around for the next 20 minutes or so,
[01:33:49.160 --> 01:33:56.160]  we're going to go ahead, I'll give you about 10 minutes to try the Google Drive lab. And after
[01:33:56.160 --> 01:34:01.080]  you try the Google Drive lab, then I'll do a quick walkthrough. So on my screen here, I'm just going
[01:34:01.080 --> 01:34:06.720]  to pull up the ones you see which one we're looking at. So it's going to be examining cloud
[01:34:06.720 --> 01:34:10.980]  file storage incidents lab, Google Drive, again, just like the other one, you've got the lab
[01:34:10.980 --> 01:34:15.280]  instructions. And then if you scroll all the way down, you'll be able to see the detailed walkthrough.
[01:34:27.430 --> 01:34:33.590]  Okay, I'll go ahead and do the walkthrough here. So the first instruction says to run
[01:34:33.590 --> 01:34:41.330]  DB browser for SQLite. And it's located, in this case, it says C program, DB browser SQLite,
[01:34:41.330 --> 01:34:50.830]  but we've got to install that. So let me go down to my installs and get that going.
[01:35:02.910 --> 01:35:11.010]  Okay, and then once this loads here and finishes up, we're going to browse to Google Drive, or it's
[01:35:11.010 --> 01:35:16.830]  in AppData, local Google Drive, and then user default. And we're looking for the sync config
[01:35:16.830 --> 01:35:32.200]  database. Okay, so I'm going to just run DB browser for SQLite. Pin this. Perfect. Okay, so we're
[01:35:32.200 --> 01:35:45.440]  open database. I'm going to go to my downloads, evidence, and C drive, users. Oops, sorry.
[01:35:45.740 --> 01:35:58.140]  Windows, system 32. No, I am all messed up here. I apologize. C, users, Bob, AppData, local,
[01:35:58.940 --> 01:36:06.020]  Google, Drive, user defaults. And then within here, that's where I'm looking for the sync config.
[01:36:06.240 --> 01:36:12.280]  So I've got that database, I open it up and expand this out a little bit.
[01:36:15.070 --> 01:36:20.490]  Okay, and then we go down the instructions here, we're going to look for, click on the browse
[01:36:21.290 --> 01:36:28.890]  data tab. So if we click over here, browse data, we get a better view of everything that's going on.
[01:36:29.290 --> 01:36:39.300]  Expand this out a little bit. Okay. And so the first question is, what is the data value for
[01:36:39.300 --> 01:36:43.580]  the following? So we're looking for the highest application version, local sync route path and
[01:36:43.580 --> 01:36:49.360]  user email. So we can see here, this is the version of Google Drive that was installed
[01:36:49.360 --> 01:36:53.000]  on the machine that we're looking at. So again, we can look for vulnerabilities, we can
[01:36:53.720 --> 01:36:58.760]  match it up to the system, whatever the use case is. And then local sync route path.
[01:37:05.260 --> 01:37:11.280]  Oops, I messed that up. Local sync route path, here we see it is cusers, Bob, Google Drive.
[01:37:11.280 --> 01:37:17.260]  And then for email, we see it's bob.mckley.re.gmail.com. It's the same one that the HR had in
[01:37:17.260 --> 01:37:25.400]  their file. Step two is we're going to browse to Cloud Graph. So I'm going to go open a new database
[01:37:26.940 --> 01:37:34.220]  and within Drive, it's user defaults, Cloud Graph, cloudgraph.db.
[01:37:35.800 --> 01:37:37.960]  And I don't want to save changes.
[01:37:40.060 --> 01:37:45.180]  Now on this one, I'm going to have to change the table here. And so it tells me to go to the
[01:37:45.180 --> 01:37:52.660]  Cloud Graph entry table. So click on that one. And then from here, we want to know what's the
[01:37:52.660 --> 01:37:59.260]  file name for doc type six. So I'm looking for doc type six here, I see one that's this one.
[01:37:59.260 --> 01:38:05.000]  So it's a remember from, what was it, three to 12 or 13. Those are Google formatted documents.
[01:38:05.600 --> 01:38:09.320]  And I'm gonna expand this file name to see what this file was called.
[01:38:10.840 --> 01:38:14.960]  Ways to tell your boss you're leaving. That sounds suspicious, something you might want
[01:38:14.960 --> 01:38:21.180]  to look into a little bit more. Okay, and then let me look down for
[01:38:26.600 --> 01:38:33.440]  here. And then we want to look at what type that was. Obviously, we can go back to the slides and
[01:38:33.440 --> 01:38:39.180]  see that that was a Google formatted doc. And we want to look at the modified date for a file
[01:38:39.900 --> 01:38:47.960]  of where the file type was six. So I can scroll over modified date, right this date, though,
[01:38:47.960 --> 01:38:56.660]  we're gonna want to copy this. And let me go ahead and do this. I'm just going to open up Google here.
[01:39:03.440 --> 01:39:11.680]  And I convert this, we could see the exact time. I'm going to paste in the time that we got.
[01:39:12.480 --> 01:39:19.540]  And it's going to tell us both are my local time as well as UTC or GMT. If we're looking at GMT,
[01:39:19.540 --> 01:39:26.340]  it was Friday, April 17 2020 601 25am. And that's something that we're going to want to go ahead and
[01:39:26.340 --> 01:39:32.880]  look at. And so even if we look at local time, though, for me, it was at 1101pm. So if this is
[01:39:33.020 --> 01:39:37.680]  a work machine, why are they the file name was tell your how to tell your boss you're leaving.
[01:39:37.680 --> 01:39:41.420]  And I believe this was the night before I believe on the 17th the morning of
[01:39:42.600 --> 01:39:48.200]  Bob McClee put in notice. So at 11pm was looking for ways to find bosses leaving.
[01:39:50.540 --> 01:40:01.510]  Okay, then we've got on the scroll down my tutorials.
[01:40:07.470 --> 01:40:13.390]  Catch up. Okay. And then after we converted that our next step or question is further examine the
[01:40:13.390 --> 01:40:19.570]  file. examination of file name column and database uncovers additional documents of interest,
[01:40:19.570 --> 01:40:27.350]  for example, Doc ID one, or one MP, blah, blah, blah. One was the document last modified. So
[01:40:28.270 --> 01:40:34.650]  I'm looking over here, there's one that we want to look at one MP. So I'm looking here one and
[01:40:39.080 --> 01:40:43.000]  this one here. And it says resignation letter ready dot
[01:40:43.000 --> 01:40:48.880]  RTF. And so we want to look here at the modified time and copy this again.
[01:40:49.880 --> 01:40:52.880]  I'm going to go back over to Google.
[01:40:54.820 --> 01:40:56.240]  pop this in
[01:40:57.740 --> 01:41:06.840]  convert and it looks like Friday, April 17 617 am. So oops, something scrolling way down.
[01:41:07.040 --> 01:41:12.000]  So it looks like the morning of right putting resignation around maybe eight or 9am when
[01:41:12.000 --> 01:41:17.320]  everyone came in the morning of on the work machine, this this document was modified.
[01:41:17.860 --> 01:41:21.640]  Or at least Yeah, last modified. So we don't know what it originally had. But obviously,
[01:41:21.640 --> 01:41:27.080]  it says it's ready to go. And we saw the resignation letter come in on the 17th in the morning.
[01:41:28.500 --> 01:41:29.940]  Go back.
[01:41:32.000 --> 01:41:38.040]  Next step is to what is the hash for the file file name client list. So if we look for the
[01:41:38.040 --> 01:41:46.420]  file here called client list in row 12 can scroll over and now we get the file hash here.
[01:41:46.420 --> 01:41:50.180]  And this might be important because we may see changes along the way. Maybe we look at the
[01:41:50.180 --> 01:41:55.220]  cached version and it's different than this. And maybe we want to verify this, this is the client
[01:41:55.220 --> 01:42:00.580]  list that he stole or that we have in our file server. So we might want to copy that hash down.
[01:42:03.140 --> 01:42:06.500]  Okay, next piece is that we are going to open up the sync log.
[01:42:06.500 --> 01:42:17.060]  So I'll minimize this, we'll go over here. And go to my downloads, go to the evidence we've
[01:42:17.060 --> 01:42:32.340]  collected, click in there, see, and users, Bob, app data, local, Google, drive, and then user
[01:42:32.600 --> 01:42:41.960]  default. And then within here, we should see the we're looking for sync log. This one open up and
[01:42:41.960 --> 01:42:50.920]  expand that a little bigger for you. And within here, again, ideally, you do something like
[01:42:50.920 --> 01:42:57.360]  Sumo logic or some other tool to parse this out. We want to look at where did the file originate
[01:42:57.360 --> 01:43:04.640]  from. And, and we're looking for specific things like resignation letter. So I want to see when
[01:43:04.640 --> 01:43:17.960]  things were synced and changed here. So let me do a search and find and I'm going to search for
[01:43:18.600 --> 01:43:30.480]  resignation letter. Okay, and then here, we see that close this out.
[01:43:31.540 --> 01:43:38.040]  Right, so we get the date and the time all the way on the far left there was the 16 2235, at least
[01:43:38.040 --> 01:43:46.120]  local time. Over here, we see receive change directions upload. So the user on this system
[01:43:46.120 --> 01:43:52.640]  that the work machine, the file was changed. And then this, the changes were synced or uploaded to
[01:43:52.640 --> 01:44:00.500]  the cloud and matches the file name. And look at this resignation draft, we saw resignation
[01:44:00.500 --> 01:44:05.200]  letter ready. So this might have been changed around that time. Originally, it was in draft
[01:44:05.200 --> 01:44:13.500]  format, and the user changed that. And sometimes we also get hashes here as well. Okay, but it was
[01:44:13.540 --> 01:44:19.360]  a local system. So it was the direction was upload, they made that change locally, it got synced up.
[01:44:20.500 --> 01:44:30.060]  Next question is, we want to find all for all instances of this. And again,
[01:44:30.060 --> 01:44:36.480]  some other parsing tools better. But if I go here to search, and I type find again,
[01:44:36.480 --> 01:44:41.960]  and I do find all in open document, this is going to give us a list. And I don't know how to make
[01:44:41.960 --> 01:44:49.440]  this bigger for you. But we can see here all the different times that resignation letter was
[01:44:50.780 --> 01:44:54.960]  was in here. But basically, what I would do in a much better way with some other tools,
[01:44:54.960 --> 01:45:00.840]  I'm looking here for the name resignation letter draft, draft, draft,
[01:45:02.600 --> 01:45:07.840]  draft, and I want to kind of find down here where it's changed from draft. So I see ready down here,
[01:45:07.840 --> 01:45:11.420]  I don't want to spend all the time doing this. But I'm going to look for the line item where it
[01:45:11.420 --> 01:45:16.840]  says draft, and then the next one says ready. And that's going to tell us when that change was made,
[01:45:16.840 --> 01:45:22.460]  where they renamed the file, and now it's ready. Okay, and then
[01:45:25.520 --> 01:45:33.160]  next step, we go back to SQL Lite. And we look for an inode ID for an office lease. I know we're
[01:45:33.160 --> 01:45:38.300]  pretty much out of time there. So I know all the other steps are in the detailed walkthrough. If
[01:45:38.300 --> 01:45:41.960]  you want any of that, I did want to give a couple of minutes for questions before I've got to leave
[01:45:41.960 --> 01:45:46.800]  and be respectful of everyone's time. So again, there's a couple more steps to that lab, but you
[01:45:46.800 --> 01:45:52.000]  can look through those we didn't get to the box lab. But you can absolutely go through those and
[01:45:52.000 --> 01:45:56.020]  hit me up on LinkedIn if you have any questions around that. So I'm going to switch back to my
[01:45:56.500 --> 01:46:00.640]  slides and see one more time. If there's any questions, I also want to give a big shout out
[01:46:00.640 --> 01:46:07.260]  and thanks to all the people at the cloud village, the ones that you heard vocally, but then there's
[01:46:07.260 --> 01:46:13.100]  tons of people on the back end who have made this possible and obviously for free. So big
[01:46:13.100 --> 01:46:15.000]  thanks to them and thank you for having me here.
